The saga of Rootkit.win32.TDSS.

mm · 10-10-2010

The saga of Rootkit.win32.TDSS.

My winxp is booting now, but has winxp problems. I'm only posting
about one thing here. The Kaspersky AV boot disk said there was a
problem with my MBR.

I ran mbr.exe on my friend's HP netbook, the one with the mbr problem
according to Kaspersky, and it said

Title: Stealth MBR rootkit/MEbroot/sinowal Detector 0.3.7 by Gmer

device: opened successfully
user: MRR read successfully
kernel: MBR read successfully
user & kernel OK
--------------------------------------------

Then I ran a different program that might have been available at the
same place, but it's 293,000 bytes instead of 77,000. They assign a
random name to it, because some viruses keep track of names and won't
let known things start. (Of course you coudl rename it yourself) but
I guess it's a later version of gmer.exe, that is, later than mbr.exe,
with a gui.

My screen looks like the one at www.gmer.net but my results don't look
anything like theirs. None of my lines are in red, or anything like
the one there.

At the top of of the gui it says GMER 1.0.15.15281
Under Rootkit/Malware it has 10 lines which I don't understand.

Because it doesn't specifically say I have a problem, but it has 10
line with what don't look like file names in the Rootkit/Malware tab
of the program!!??

Each starts with AttachedDevice

In the next column are names like
\FileSystem\ntfs\ntfs
\fastfat\fat 3 of these
\Driver\Tcpip\Device\lp
\tcp
\udp
\Rawlp
\Kbdclass \Device\keyboardClass0
1

And the values for each name are:
SYMEVENT.SYS (Symatec Event Libary/Symatec Corporation) 2 of these
fltMgr.sys(Microsoft Filesystem Filter Manager/Microsofot ) 2
SYMTDI.SYS (Network Dispatch Driver/Symantec Corp.) 4 of these
SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) 2 of these

What do you think this means? (There is no help link or file in the
program.)
------------------

Then I ran TDSSKiller.exe, which took 60 seconds, and scanned about
214 items, and it said that the MBR had Rootkit.win32.TDSS.tdl4, which
except for the last node is what Kaspersky said**. It offered to
Skip, Quarantine, Cure, or Restore. It chose Cure. I don't think you
can Quarantine the mbr!

I ran cure and it said it would be cured after the next boot, but when
I ran TDSSkiller after the next boot, it again said it had the same
malicious object. I didn't want to run Cure again, so I just clicked
on the X in the upper right corner, but again it said it would be
cured after the next reboot. Even though I exited without clicking on
Continue! Strange. It still said it was there after the next boot.

**Wait. TDSSKiller is also by Kaspersky, which is the only AV program
out of 6 bootdisks that I ran that said I had an mbr problem.

David H. Lipman · 10-10-2010

From: "mm" <NOPSAMmm2005@bigfoot.com>

| The saga of Rootkit.win32.TDSS.

| My winxp is booting now, but has winxp problems. I'm only posting
| about one thing here. The Kaspersky AV boot disk said there was a
| problem with my MBR.

| I ran mbr.exe on my friend's HP netbook, the one with the mbr problem
| according to Kaspersky, and it said

| Title: Stealth MBR rootkit/MEbroot/sinowal Detector 0.3.7 by Gmer

| device: opened successfully
| user: MRR read successfully
| kernel: MBR read successfully
| user & kernel OK
| --------------------------------------------

| Then I ran a different program that might have been available at the
| same place, but it's 293,000 bytes instead of 77,000. They assign a
| random name to it, because some viruses keep track of names and won't
| let known things start. (Of course you coudl rename it yourself) but
| I guess it's a later version of gmer.exe, that is, later than mbr.exe,
| with a gui.

| My screen looks like the one at www.gmer.net but my results don't look
| anything like theirs. None of my lines are in red, or anything like
| the one there.

| At the top of of the gui it says GMER 1.0.15.15281
| Under Rootkit/Malware it has 10 lines which I don't understand.

| Because it doesn't specifically say I have a problem, but it has 10
| line with what don't look like file names in the Rootkit/Malware tab
| of the program!!??

| Each starts with AttachedDevice

| In the next column are names like
| \FileSystem\ntfs\ntfs
| \fastfat\fat 3 of these
| \Driver\Tcpip\Device\lp
| \tcp
| \udp
| \Rawlp
| \Kbdclass \Device\keyboardClass0
| 1

| And the values for each name are:
| SYMEVENT.SYS (Symatec Event Libary/Symatec Corporation) 2 of these
| fltMgr.sys(Microsoft Filesystem Filter Manager/Microsofot ) 2
| SYMTDI.SYS (Network Dispatch Driver/Symantec Corp.) 4 of these
| SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) 2 of these

| What do you think this means? (There is no help link or file in the
| program.)
| ------------------

| Then I ran TDSSKiller.exe, which took 60 seconds, and scanned about
| 214 items, and it said that the MBR had Rootkit.win32.TDSS.tdl4, which
| except for the last node is what Kaspersky said**. It offered to
| Skip, Quarantine, Cure, or Restore. It chose Cure. I don't think you
| can Quarantine the mbr!

| I ran cure and it said it would be cured after the next boot, but when
| I ran TDSSkiller after the next boot, it again said it had the same
| malicious object. I didn't want to run Cure again, so I just clicked
| on the X in the upper right corner, but again it said it would be
| cured after the next reboot. Even though I exited without clicking on
| Continue! Strange. It still said it was there after the next boot.

| **Wait. TDSSKiller is also by Kaspersky, which is the only AV program
| out of 6 bootdisks that I ran that said I had an mbr problem.

You keep creating NEW posts and thus all your posts that may be related to an older thread
become discontiguous.

Lets get back to the basics.

OK, Kappersky's TDSSKiller indicated "Rootkit.win32.TDSS.tdl4" in the MBR.

If that the case we are dealing with the LATEST variant TDSS Level 4 in the MBR.

How are you running TDSSKiller ?
Normal Mode ?
Safe Mode ?

Can you plase post a TDSSKiller log.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

mm · 10-10-2010

On Sat, 9 Oct 2010 21:27:13 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "mm" <NOPSAMmm2005@bigfoot.com>
>
>
>| The saga of Rootkit.win32.TDSS.
>
>| My winxp is booting now, but has winxp problems. I'm only posting
>| about one thing here. The Kaspersky AV boot disk said there was a
>| problem with my MBR.
>
>| I ran mbr.exe on my friend's HP netbook, the one with the mbr problem
>| according to Kaspersky, and it said
>
>| Title: Stealth MBR rootkit/MEbroot/sinowal Detector 0.3.7 by Gmer
>
>| device: opened successfully
>| user: MRR read successfully
>| kernel: MBR read successfully
>| user & kernel OK
>| --------------------------------------------
>
>| Then I ran a different program that might have been available at the
>| same place, but it's 293,000 bytes instead of 77,000. They assign a
>| random name to it, because some viruses keep track of names and won't
>| let known things start. (Of course you coudl rename it yourself) but
>| I guess it's a later version of gmer.exe, that is, later than mbr.exe,
>| with a gui.
>
>| My screen looks like the one at www.gmer.net but my results don't look
>| anything like theirs. None of my lines are in red, or anything like
>| the one there.
>
>| At the top of of the gui it says GMER 1.0.15.15281
>| Under Rootkit/Malware it has 10 lines which I don't understand.
>
>| Because it doesn't specifically say I have a problem, but it has 10
>| line with what don't look like file names in the Rootkit/Malware tab
>| of the program!!??
>
>| Each starts with AttachedDevice
>
>| In the next column are names like
>| \FileSystem\ntfs\ntfs
>| \fastfat\fat 3 of these
>| \Driver\Tcpip\Device\lp
>| \tcp
>| \udp
>| \Rawlp
>| \Kbdclass \Device\keyboardClass0
>| 1
>
>| And the values for each name are:
>| SYMEVENT.SYS (Symatec Event Libary/Symatec Corporation) 2 of these
>| fltMgr.sys(Microsoft Filesystem Filter Manager/Microsofot ) 2
>| SYMTDI.SYS (Network Dispatch Driver/Symantec Corp.) 4 of these
>| SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) 2 of these
>
>| What do you think this means? (There is no help link or file in the
>| program.)
>| ------------------
>
>| Then I ran TDSSKiller.exe, which took 60 seconds, and scanned about
>| 214 items, and it said that the MBR had Rootkit.win32.TDSS.tdl4, which
>| except for the last node is what Kaspersky said**. It offered to
>| Skip, Quarantine, Cure, or Restore. It chose Cure. I don't think you
>| can Quarantine the mbr!
>
>| I ran cure and it said it would be cured after the next boot, but when
>| I ran TDSSkiller after the next boot, it again said it had the same
>| malicious object. I didn't want to run Cure again, so I just clicked
>| on the X in the upper right corner, but again it said it would be
>| cured after the next reboot. Even though I exited without clicking on
>| Continue! Strange. It still said it was there after the next boot.
>
>| **Wait. TDSSKiller is also by Kaspersky, which is the only AV program
>| out of 6 bootdisks that I ran that said I had an mbr problem.
>
>You keep creating NEW posts and thus all your posts that may be related to an older thread
>become discontiguous.

Sorry. I thought in this case it was separate from everything else.
>
>Lets get back to the basics.
>
>OK, Kappersky's TDSSKiller indicated "Rootkit.win32.TDSS.tdl4" in the MBR.
>
>If that the case we are dealing with the LATEST variant TDSS Level 4 in the MBR.
>
>How are you running TDSSKiller ?
>Normal Mode ?
>Safe Mode ?

Normal mode. XP is starting and running fairly well now.

At the moment, the only thing I know of that won't work is
msinfo32.exe, of all things.

>Can you plase post a TDSSKiller log.

I ran it several tiems and it wrote 5 logs, each ofhtem 49,998 bytes
long, with a line for each file scanned, and the same conclusion, like
it showed at the tiem,

System Info:
.....
Boot type: Normal boot

Initialize Success
......
\HardDisk0\MBR - detected Rootkit.win32.TDSS.tdl4 (0)
Scan finished

Detected object count 1
\Harddisk0\MBR will be cured after reboot
Rootkit.win32.TDSS.tdl4(\Hardisk0\MBR) - User selected action: Cure
Dinitinalize sucess

mm · 10-10-2010

On Sat, 9 Oct 2010 21:27:13 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>
>OK, Kappersky's TDSSKiller indicated "Rootkit.win32.TDSS.tdl4" in the MBR.
>
>If that the case we are dealing with the LATEST variant TDSS Level 4 in the MBR.
>
>How are you running TDSSKiller ?
>Normal Mode ?
>Safe Mode ?
>
>Can you plase post a TDSSKiller log.
>
>--
>Dave

Not needed after all.

Okay, I rebooted 3, maybe 4 times yesterday and after each time
checked with TDSSKiller if the mbr problem was still there.

Tonight I updated SuperAntiSpyware, and that program had worked very
well for me the day before.

It has a set of repair tools, one of which is Fix Task Manager, and it
worked. Originally pressing cntl-alt-delete wouldn't even bring up a
screen, but after SASpyware, it worked fine.

In tonight's update, it said it had something that killed Rootkit
TDSS. I think it was that specific.

But before I ran it I ran TDSSKiller for the 7th time, and this time
it found no problems. I don't get it, but it looks like that problem
is gone.

A good thing too, because even though it said it was included, now I
cam't find anything in the SASpyware list of repair tools which would
have done this.

Thanks, anyhow, for your reply and being willing to work on this with
me.

David H. Lipman · 10-10-2010

From: "mm" <NOPSAMmm2005@bigfoot.com>

| On Sat, 9 Oct 2010 21:27:13 -0400, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>OK, Kappersky's TDSSKiller indicated "Rootkit.win32.TDSS.tdl4" in the MBR.

>>If that the case we are dealing with the LATEST variant TDSS Level 4 in the MBR.

>>How are you running TDSSKiller ?
>>Normal Mode ?
>>Safe Mode ?

>>Can you plase post a TDSSKiller log.

>>--
>>Dave

| Not needed after all.

| Okay, I rebooted 3, maybe 4 times yesterday and after each time
| checked with TDSSKiller if the mbr problem was still there.

| Tonight I updated SuperAntiSpyware, and that program had worked very
| well for me the day before.

| It has a set of repair tools, one of which is Fix Task Manager, and it
| worked. Originally pressing cntl-alt-delete wouldn't even bring up a
| screen, but after SASpyware, it worked fine.

| In tonight's update, it said it had something that killed Rootkit
| TDSS. I think it was that specific.

| But before I ran it I ran TDSSKiller for the 7th time, and this time
| it found no problems. I don't get it, but it looks like that problem
| is gone.

| A good thing too, because even though it said it was included, now I
| cam't find anything in the SASpyware list of repair tools which would
| have done this.

| Thanks, anyhow, for your reply and being willing to work on this with
| me.

That's GOOD to hear.

Danke.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp