[Inactive] Infected With TDSS Rootkit

[Hoov]

Can you run the scans in normal windows? From here on out you should not be rebooting into safe mode, unless it will not run that way.

[soupman]

Hi Hoov,

Ran McAfee and Malwarebytes in normal Windows and both were clean. Everything seems to be working fine with no problems.

You asked about any questions or concerns...

1.  Should I leave those two logs on the Safe Mode desktop?

2.  If I understand you correctly, at this point, you can't be 100% sure that the TDSS is gone. Do we have any more bullets in the gun? If not, how concerned should I be about possible identity theft/security issues assuming they are still there with no symptoms?

3.  Can you help me with the "Ending Program" question?

Again, thank you for your help.
 

[Hoov]

1. You can get rid of the logs or wait until we do the cleanup.

3. Possibly. Please give me the event viewer logs using the instructions I posted before. That will give me a better idea of the exact program that is not shutting down correctly.

2. This is both a simple but yet complex answer. The best we can ever do when cleaning a computer is reasonably sure. The reason for this is because we are not there seeing exactly what is going on, we are relying on a second person (you) to report to use the problem. Some things can be a problem that you have gotten used to do you no longer think it is a problem. Even with my own system, I can only be reasonably certain that I have gotten rid of the problem. Every day I use the computer and no problem shows up, I am just a bit more certain.  With my first computer I got a virus. This was pre-internet. How did I get the virus? That was the last virus that ever had full access to my computer. But I still run an AV scanner to make sure nothing like that happens again. Not to make light of your question, I want to share a link with you. It is the Perfect Firewall.  The only way to be absolutely certain that TDSS is gone is to replace your harddrive. You have been using your computer for around 6 days since combofix was run.  I am fairly certain you have rebooted several times since then and have spent some time on the internet. If TDSS was still on your computer you would have seen it by now. The one problem that remains with all malware infection is we very rarely know where it came from. If it came from a DVD that you burned, another computer on your system or some other local item, you will be back in a fairly short time with the same problem, so we will know where to look. But if it was from some random webpage, chances are you will not ever have this problem again, or if you do it will be in a long while as long as you follow the guidelines that I will give you when we are done cleaning up.  If I was using your computer with my personal info, I would not be worried about my privacy. If you want odds there is probably a .01% chance of a problem still being there.

Does that help at all?

[soupman]

Hi Hoov,

1. Will wait for cleanup.

3. Logs attached. Boy, do they look interesting...

2. Yes, it helps huge. Thanks for the concise explanation and what appears to be good news as well. Laughed out loud at your link. Also got the message.

When I was originally researching my problem I ran across a Dell forum where your Kevin was helping a poster with a similar TDSS situation. (That's how I found SpywareHammer) The poster was way ahead of me and was pointing out a tech thing he was seeing that pushed them both to dig deeper and eventually solve the problem. To your point, I'm concerned that the lack of savvy on my end might keep us from killing this thing completely. The best I can do is report the obvious and follow your instructions to the letter. Please let me know if I should be looking for some TDSS lair I don't know about.

Computer still seems to be running ok.

[Hoov]

About the TDSS issue, no there is no place else to look. We recently had a new variant popup that we were having a hard time getting rid of (Probably what you read about in Kevin's thread) but the tools have been updated to deal with it. TDSSKiller does a fantastic job of getting rid of it.  If it came back, you would start having problems with the OS or with your browser searches. You have rebooted enough times to allow TDSS to come back if it was still there.

Now regarding the event viewer logs, starting on the 13th all of your problems have seem to gone away. This is a good thing, except we are troubleshooting a problem, which makes it a bad thing. So we go at this a bit differently.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Now reboot the computer again, and see if the computer has that ending program again. If not run msconfig again and recheck all the services and then click apply and then ok and reboot again. Then once the computer has started, reboot again and see if the ending program comes back. If it doesn't then run msconfig again and unselect the non Microsoft services again, and check all the startup items. Then click apply and OK and reboot. Then once the computer is running again, reboot it and see if you get the end program again. Now run msconfig and select normal startup then click apply then OK and reboot.

Let me know when the end programs appeared in the above procedure. I know it is long and involves a lot of rebooting, but that is the only way to track down the problem.

[soupman]

Hi Hoov,

1. Please educate me.. after seeing no comments about this anywhere I have to ask about SpywareHammer being down the last few days. Does this happen often?

2. Followed your instructions to the point of clicking apply and got a Sys Config box that said "An access denied error was returned while attempting to change a sevice. You may need to log on using an Administrator account to make the specified changes." (I don't use the admin account and have only been there a couple of times lately when I've used safe mode.) I put everything back the way it was and exited without restart. 

[Hoov]

About SpywareHammer being down, it has been working fine from here.  Were you having any other connectivity issues with any other sites? We did have 2 days where the e-mail system went down, so some notice's of reply's did not go out. But the site was still going strong.


About msconfig and needing an Admin account, you will need to use that because when you are doing what I suggested, you are killing some of your protection. When you do that, Windows wants to make sure you are an Administrator of the computer.

[soupman]

Hi Hoov,

1. No other connectivity issues at all. When I continued to get the "Windows Explorer cannot ..." page I called somebody 30 minutes away from me who had accessed SpywareHammer before and had them try for a few days also. Same result. They are now able to access also.

2. Remember, I'm running XP Home. How do I access Administrator from normal mode? I thought it only was available in Safe Mode.

Computer has been running with no issues and scans are clean. Thank you.

[Hoov]

I will find out about the connection problem. Do you and the other person have the same ISP?

To access Admin account, you can logoff your user account, then you should have the option to logon to your account or the Admin account. Or you can go to the control panel and then to the user control panel and change your account type to an Admin account. Then when we are done, change it back to a limited user account.

[soupman]

Hi Hoov,

1. Yes, same ISP...CableOne

2. Went to Control Panel and it turns out I had my two active accounts (one of which we never use) both as "Computer Administrator". Also have a Guest account that's turned off (the James account I told you about earlier). I switched the second Admin account to "Limited" and restarted in the one remaining Admin account (the one we use all the time). Then I followed your instructions again. I got the same Sys Config box so I put everything back the way it was, restarted and tried again. Same result but...I don't know exactly when it went away, but the End Programs box is gone.

[Hoov]

You probably need to log in as the other Admin account, change yours to limited, reboot and then change it back to administrator. But if the end program box is gone, then it really isn't necessary, but you may need to do it in the future.

Are you having any other problems or have any other questions or concerns?

[soupman]

If I understand you correctly, I would first need to go back, while I'm in my admin account (I changed the other one to limited), and change the second one back to admin, then reboot.

Then follow your instructions and log in as the other Admin account, change mine to limited and reboot.

When I "reboot and then change it back to admininistrator" should I reboot to in mine or the second?

[Hoov]

Reboot to the second one.

[Hoov]

soupman, how is it going?

[soupman]

Hi Hoov,

Lots of reboots but no luck. Researched the subject and it seems to be a fairly common problem with numerous possible causes. HP printer software (I have), McAffee (I have), ect. I think I'll take your advise and move on.

I haven't mentioned that it's taking quite a bit longer to boot up since we ran combofix but I really noticed it when I was booting both accounts. Maybe the cleanup you mentioned will help? 

Any news on the connection problem?

Computer has been running with no issues and scans are clean. Thank you again.