Author Topic: [Inactive] Infected With TDSS Rootkit  (Read 33906 times)

0 Members and 1 Guest are viewing this topic.

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #150 on: December 06, 2011, 04:33:36 pm »
ImgBurn appears to be exactly what I need. Thank You.

I do have some questions on the three steps you've given me...

Step 1.
If I have two reasons for burning this CD. a) to run SFC and 2) to keep CD for the reinstall of windows if needed. Should I be slipstreaming IE, Firefox, NoScript, Windows Media Player, ect., ect. into this? (Remember, thanks to you, I am now happily using Firefox.) I have researched this and I am getting the impression that slipstreaming is substantially easier/less time consuming than downloading after a reinstall? Is this the case?

Step 2.
Am I supposed to disregard these notes in the link?

"This installation package is intended for IT professionals and developers downloading and installing on multiple computers on a network. If you're updating just one computer, please visit Windows Update at http://update.microsoft.com."

DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download is now available on Windows Update.

Step 3.
On the nLite download page I see the installer link. What are the 01 02 03 below?
What is the "self-extracting archive"?

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #151 on: December 06, 2011, 07:13:34 pm »
1. Yes you can. But there is a limit on how many programs you can add in there. Personally I think keeping one CD with Windows only, and then another with all the current software is a better way of doing it. The other programs don't take to long to install on their own, but windows can take a bit.

2. This file is good for creating a disc such as what MS shipped with XP SP3 discs, that way it does not matter what computer you install it on, all the possible updates are there. If you ever decide to replace your computer but keep XP, then you will have the install disc, and don't have to worry about an update missing.

3. I don't see any 1, 2 or 3 on the page. Is this the address you are at? http://www.nliteos.com/download.html

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #152 on: December 07, 2011, 03:23:05 pm »
1. Exactly what I needed to know.

2. Misunderstanding.
My question is... Am I supposed to disregard the notes that say "DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download is now available on Windows Update."?
Should I use the download for "installing on multiple computers on a network" that you've sent me to?

3. Yes, that's the right page. In the middle of the page I see the "download" link and right below there are three numbered links, 01 02 03. What are the 01 02 03 below?
Right below those I see the "self-extracting archive" link with the same 01 02 03 links below. What is the "self-extracting archive"?

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #153 on: December 07, 2011, 06:47:55 pm »
2. Yes ignore the warning. They want you to update your computer thru windows update. This is system specific. The disc you are making is not. It is a general XP SP3 disc. You would be able to use this to run a sfc on any XP computer.

3. I have no idea. I tried in 4 different browsers and I don't see what you do. Here is the link you need.  and just in case the link doesn't work, here it is again. http://nliteos.pcrpg.org/nlite/nLite-1.4.9.1.installer.exe

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #154 on: December 17, 2011, 04:49:57 pm »
2. Perfect. Again, exactly what I needed.

3. The page has changed. 01 02 03 are gone. Now there are 2 mirrors after both the "installer' link and the "self-extracting archive" link.
My questions...
3a. I assume I should be using the installer link? (Are the mirrors there in case the installer link doesn't work or?...)
3b. What is the "self-extracting archive" link?

Back to Step 1.
The instructions say to "Place in an empty folder and run the batch file". When I click the download link it goes to the Firefox Download box (upper left of my screen).
Questions...
1a. How do I send it to an empty folder? Is the desktop a good place to save to? 
1b. It also says "You can also place it in your current updates folder and it will scan for and retrieve any missing files." I'm not aware of mine, if I have one. Do I? Should I?
1c. Possibly related to 1b above. The page was last updated Nov 10, 2011. Refreshing the page has no effect. Are all the missing updates since then going to to be a problem?

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #155 on: December 17, 2011, 09:02:52 pm »
An installer will install the program, that means when you are done with it you can use the Add / Remove program control panel to get rid of it. The self extracting archive will just extract the program to a folder that was decided on when the program was compressed. Either one will work, what determines the one you use is how easy do you want to be able to get rid of it.

Once you get it downloaded, you double click on the file and extract the contents to the folder you want (I am assuming that you are talking about the UDC program here).

As for updates folder, you don't have one so skip that. As for the missing updates, there will only be a few that are not listed, and you can always get them later. The downloads that you do get you will be saving yourself  pretty much an entire day of downloading and rebooting. The ones you don't get you will be able to get thru a normal windows update in a single update session.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #156 on: December 22, 2011, 07:41:43 pm »
soupman, how is it going?

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #157 on: December 24, 2011, 04:41:01 pm »
Step 3.
So if I understand correctly, the easiest one to get rid of is the self-extracting archive?

Back to step 1. (UDC)
When I click on the download link it brings up a box asking if I want to Open With... or Save File.
When I Save File it downloads a zip file to the Downloads Folder. I've stopped there. I think I want this thing in a folder on my desktop. Am I going in the right direction?

Thank you for the scoop on the updates folder. Exactly what I needed to know.

Thank you for your patience Hoov, and Merry Christmas.

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #158 on: December 24, 2011, 08:30:14 pm »
Step 3, either one of them are easy to get rid of. The self extracting archive version can just be deleted. The installer version gets uninstalled.

Step 1. You can save it to a folder wherever you want. You just need to remember where it is.

You are welcome, and Merry Christmas to you and yours!

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #159 on: January 03, 2012, 06:27:38 pm »
Step 1.
Updates are now sitting in a folder on my desktop. Just needed to go one step further. Thanks.


Step 2.
(XP SP3 file) Clicked download link and then clicked save. Didn't get a choice of where, and it downloaded to my Mozilla Downloads file box. Thinking I would get a choice, to send to my desktop at the next step, I clicked on the download and clicked Run in the box that came up.  :o2

Apparently it extracted all to C:\89d3eb59a.......etc, etc. Windows search doesn't find this.

Question 1. What the heck do I do about this file?

Question 2. How do I get the darned thing to my desktop?

Happy New Year

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #160 on: January 03, 2012, 06:59:49 pm »
Go ahead and delete the folder it created. To move it to the desktop, right click on the file and select copy, then right click on the desktop and select paste.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #161 on: January 04, 2012, 04:24:29 pm »
Windows search doesn't find  C:\89d3eb59a.......etc, etc. This is where it was extracted to.
Was this a temp file that's now cleaned out? If not, how do I find and kill it?

What I DID find in Docs and Settings>My Docs>Downloads> folder is a WindowsXP-KB936929-SP3-x86 ENU Self-Extracting Cabinet file, 316 mb and the right date. I assume this is what I'm looking for?



Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #162 on: January 04, 2012, 04:30:21 pm »
WindowsXP-KB936929-SP3-x86-ENU.exe is the SP3 file. That is the one you need with nlite.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline soupman

  • Bronze Member
  • Posts: 144
Re: [In Progress] Infected With TDSS Rootkit
« Reply #163 on: January 04, 2012, 05:04:30 pm »
Good, thanks.

What about;
"Windows search doesn't find  C:\89d3eb59a.......etc, etc. This is where it was extracted to."

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25501
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Infected With TDSS Rootkit
« Reply #164 on: January 04, 2012, 05:55:54 pm »
By all rights, when you canceled the install it should have cleaned up after itself. Go into Windows Explorer and see if there is a folder in the C: drive that looks odd. If there is, tell me what it is.

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!