Rootkit.TDSS.v3 infection-recycler infection [Solved]

Welcome to your place for tech questions! ( Log In or Join today ) Get answers from experts today. (it's 100% free) Virus removal forum

What the Tech > Spyware / Malware / Virus Removal > Virus, Spyware & Malware Removal

3 Pages

1 2 3 >

Rootkit.TDSS.v3 infection-recycler infection [Solved], Can't remove the infections

Options

Armor7 View Member Profile	Apr 12 2012, 08:28 PM Post #1
New Member Group: Authentic Member Posts: 14 Joined: 12-April 12 Member No.: 100,039 Operating System: XP	Dear Tech Experts, Recently my PC Tools antivirus detected the high risk virus: Rootkit.TDSS.v3; whenever I click on clean though, it claims to have cleaned but it requires a reboot to finish removing the infection. Upon rebooting, it does a short scan and states that no infections were found. However, when I redo a full scan, the virus is detected again. So far, I have not experienced the symptoms associated with the virus except for slowing down of the system, so I find it very strange. Before this, my computer was infected by a virus known as the recycler which makes folders on flash drives shortcut folders while taking the information therein; I had hell removing and even quarantining this virus and after following some online guides I had assumed it gone seeing that my flash drive no longer became infected. I suspect though that it is still present and may have led to further infection of my netbook. At the moment, my external western digital harddrive is still infected by it; I have no access to my folders therein since attempts to open them are stopped by PC TOOLS which detects this name: TROJAN.GEN. I would really like to have my pc and external harddrive clean again once and for all. I had to already redo my OS at one point in time. I thank you in advance for your assistance Respectfully, Tony

Satchfan View Member Profile	Apr 13 2012, 04:03 AM Post #2
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	Hello Armor7 and welcome to the WTT forum. My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier: please follow all instructions in the order posted please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked if you don't understand something, please don't hesitate to ask for clarification before proceeding the fixes are specific to your problem and should only be used for this issue on this machine. please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed! IMPORTANT: Please DO NOT RUN ANY TEMPORARY FILE CLEANERS Please DO NOT install/uninstall any programs unless asked to. Please DO NOT run any scans other than those requested =================================================== Run DDS Please download DDS by sUBs from one of the following links and save it to your desktop. DDS.scr DDS.pif • disable any script blocking protection (How to Disable your Security Programs) • double click DDS icon to run the tool (may take up to 3 minutes to run) • when done, DDS.txt will open. • after a few moments, attach.txt will open in a second window. • save both reports to your desktop. • Post the contents of the DDS.txt and Attach.txt reports in your next reply =================================================== Run aswMBR download aswMBR.exe to your desktop. double click aswMBR.exe to run it if asked, accept the AVAST virus definition download click the "Scan" button to start scan on completion of the scan click Save log, save it to your desktop and post in your next reply Logs to include with next post: DDS.txt Attach.txt aswMBR log Thanks Satchfan

Satchfan View Member Profile	Apr 15 2012, 03:04 AM Post #3
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	It has been a couple of days since I sent instructions to help with your computer problems. Please let me know if you still need help Satchfan

Armor7 View Member Profile	Apr 15 2012, 09:09 AM Post #4
New Member Group: Authentic Member Posts: 14 Joined: 12-April 12 Member No.: 100,039 Operating System: XP	Greeting Satchfan, I apologize for the late post but thank you for your prompt reply. I do hope that this post is the right way of replying to yours; since the instructions said to not reply to your own posts I was wondering if I have to write a whole new topic each time I was posting or am I doing the right thing by replying directly to you? Also, in my problem description, I mentioned my external hard drive: should I have it plugged in for the scan or should I not? In addition, my computer, by automatic updates, wants to finish updating by restarting; should I allow it? (I know one of the instructions is to not install any programs or so; I just want to be sure you don't mean updates or so. Lastly, I do not know how change the DDS.txt to a zip file; is it possible to give me some instructions on that as well? I am very thankful for your kind assistance. Respectfully Tony

Satchfan View Member Profile	Apr 15 2012, 10:21 AM Post #5
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	Hi Tony QUOTE I do hope that this post is the right way of replying to yours That is the correct way - you just click the "Reply" button at type in your reply. This is also where you copy and paste the logs that you get from the programs you are asked to run. QUOTE my computer, by automatic updates, wants to finish updating by restarting You can allow the Windows updates to finish by restarting. QUOTE I mentioned my external hard drive: should I have it plugged in for the scan Don't worry about the external hard drive at the moment. With DDS and the other logs, you don't have to zip them. You will see logs on your desktop when you have finished running the program. With DDS they will be called DDS.txt and Attach.txt. Open them up one at a time by double-clicking on them. When you open one, highlight the whole log then copy it and paste it in your reply. Repeat this for aswMBR also. If you are still unsure, let me know and we'll do one log at a time. Satchfan.

Satchfan View Member Profile	Apr 15 2012, 04:53 PM Post #7
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	Hi Tony I received your logs but as it is nearly midnight here in the UK I won't be able to check and reply immediately as I have an early start in the morning. Apologies for the delay. One thing to be mentioned though: P2P - I see you have P2P software, (uTorrent), installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infection. If your computer is infected, it almost certainly contributed to your current situation. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. The bad guys use P2P file-sharing as a major conduit to spread their wares. Please see this topic for more information: Perils of P2P File Sharing. I would strongly recommend that you uninstall it now. You can do so via Start, Settings, Control Panel, Add or Remove Programs Should you decide to keep it, please don’t use it until we have finished up here. Regards Satchfan

Armor7 View Member Profile	Apr 15 2012, 05:51 PM Post #8
New Member Group: Authentic Member Posts: 14 Joined: 12-April 12 Member No.: 100,039 Operating System: XP	Dear Satchfan, I'll gladly take your advice and remove the P2P software...thank you again for the advice. I patiently await your other suggestions and recommendations. Respectfully and thankfully Tony

Satchfan View Member Profile	Apr 16 2012, 09:45 AM Post #9
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	Hi Tony This tool will protect both the flash drive and the PC by disabling the autorun feature. Disabling autorun won't prevent infected files from getting into your removable drive but it does prevent these files from launching automatically. Without getting launched, these infected files lie dormant on the drive, and are pretty much harmless unless you double click on them. Run this tool on all usb drives and computers: Please download Flash_Disinfector.exe by sUBs from here and save it to your desktop. double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. the utility may ask you to insert your flash drive and/or other removable drives: please do so and allow the utility to clean up those drives as well hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present wait until it has finished scanning and then exit the program reboot your computer when done. Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files. ====================================================== Unhide the files on your external drives if not still inserted, insert the flash drive into an empty USB slot. Take note the drive letter for the device – my example is drive F press Windows + R, and type cmd and then click on OK. type this in taking care to notice where the spaces are: *attrib -s -h -r f:/.* /s /d press Enter and wait for the command to execute. open the thumb drive You should see the files that were hidden by the virus. ====================================================== Run TDSSKiller Please download TDSSKiller.zip extract it to your desktop double click TDSSKiller.exe press Start Scan only if Malicious objects are found then ensure Cure is selected. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly. then click Continue > Reboot now** copy and paste the log in your next reply A copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (** denotes version & date)* ====================================================== Download and run ComboFix Download ComboFix from the following location: Link * IMPORTANT !!! Save ComboFix.exe to your Desktop disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools see this Link for programs that need to be disabled and instruction on how to disable them. remember to re-enable them when we're done. double click on ComboFix.exe & follow the prompts. as part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. Note: Do not mouse-click combofix's window while it is running. That may cause it to stall. When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt Please also remember to include the TDSSKiller** log Thanks Satchfan

Satchfan View Member Profile	Apr 19 2012, 04:50 PM Post #10
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	Hello Tony It has been several days since I posted instructions to help with your computer problem. Please let me know if you are having problems and still need help. Thanks Satchfan

Satchfan View Member Profile	Apr 20 2012, 03:19 AM Post #12
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	It’s good news that you have your programs back. If they are indeed all back, just delete the shortcuts. Your logs are coming back clean so it may be that PC Tools got whatever was on your system. There is no sign of TDSS which is good but we’ll run a couple more scans to be sure there is nothing else lurking. Open ComboFix Please do the following: close any open browsers. close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix. open notepad and copy/paste the text in the codebox below into it: CODE Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=- [-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=- [-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"=- [-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}] Save this as "CFScript.txt", and as Type: All Files (.) in the same location as ComboFix.exe Referring to the picture above, drag CFScript into ComboFix.exe When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply. ========================================= Download Malwarebytes-Anti-Malware Click here double-click mbam-setup.exe and follow the prompts to install the program. at the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware. and Launch Malwarebytes' Anti-Malware, then click Finish.. if an update is found, it will download and install the latest version. once the program has loaded, select Perform quick scan, then click Scan. when the scan is complete, click OK, then Show Results to view the results. be sure that everything is checked, and click Remove Selected. when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) the log is automatically saved and can be viewed by clicking the Logs tab in MBAM. copy and paste the contents of that report in your next reply and exit MBAM. NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Satchfan

Satchfan View Member Profile	Apr 21 2012, 01:16 AM Post #14
SuperMember Group: Malware Team Posts: 4,609 Joined: 16-July 08 From: Devon, UK Member No.: 80,323 Operating System: Windows XP SP3 Windows 7 64-bit	That’s good news. Your logs are clean so one more scan to be certain there is nothing left and then we can clean up. Run ESET Online Scan Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan 1. Click the Eset online Scanner button. 2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) • Click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop. • Double click on the Eset installer icon on your desktop. 3. Check Yes, I accept the Terms of Use 4. Click the Start button. 5. Accept any security warnings from your browser. 6. Check Scan archives 7. Push the Start button. 8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. 9. When the scan completes, push List of found threats 10. Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Note - when ESET doesn't find any threats, no report will be created. 11. Push the back button. 12. Push Finish If a log has been produced post it in your next reply. Thanks Satchfan

Armor7 View Member Profile	Apr 23 2012, 10:04 AM Post #15
New Member Group: Authentic Member Posts: 14 Joined: 12-April 12 Member No.: 100,039 Operating System: XP	Hi there Satchfan, I haven't replied yet because I have been having trouble getting the ESET online database downloaded. I am working on it right now still; I seek to respond in a few hours if all goes well. Respectfully, Tony

« Next Oldest · Virus, Spyware & Malware Removal · Next Newest »

3 Pages

1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
Virus, Spyware & Malware Removal Hijack This Info Www.your-search.info Infection	3	artaudio	1,753	2nd April 2004 - 12:12 AM Last post by: Daemon
Virus, Spyware & Malware Removal GROMOZON infection?	3	omi22	1,133	4th October 2006 - 09:19 PM Last post by: omi22
Virus, Spyware & Malware Removal Possible Netstatt Infection, Etc.	7	kidscrash	1,686	26th October 2004 - 07:03 PM Last post by: shelf life
Virus, Spyware & Malware Removal Malicious Dialer Infection 12	15	blindpig21	2,646	17th October 2004 - 06:12 AM Last post by: Daemon
Virus, Spyware & Malware Removal msconfigre infection - amongst others I suspect! 12	23	masqueradeuk	1,935	21st January 2006 - 11:03 AM Last post by: LDTate