TDSS root kit - what a nightmare

Configure and optimize you computer for Audio.
Post Reply New Topic
RELATED
PRODUCTS

Post

just a heads up guys, I have absolutely no f'n idea how this got on my machine, but it did. it's a good thing i'm a geek otherwise i'd be reinstalling right now and maybe then not even clean.

i was doing some work over the weekend and checking out some websites for research then all of a sudden images started loading broken, css stylesheets didn't seem to be working, i thought it was me. i restarted firefox (i dont use IE) and same thing happened. hrm...

something strange.

tried firefox in safe mode. same effec.t

hrm! strange indeed. not a browser thing. made sure router was ok, power cycled. connection seems good.

reboot. try firefox again. same thing.

ok now i'm starting to wonder. i open IE and same exact behavior. ok now something is definitely not right. i open opera (as a web developer i have every browser we support installed and this includes opera 9 thankfully). opera works just fine.

i've never heard of firefox being screwy.

on a hunch i reboot and dual boot into mint linux. linux is fine.

reboot back into xp, i'm sure i've got a virus or something. as soon as i get in i head for an antivirus vendor that i know of and trust over the years (though do not so much anymore after researching i'm going with NOD32 this time) symantec.

type in symantec.com and hit enter in firefox, dns not found.

WTF

check hosts file in c:\windows\system32\drivers\etc - nothing suspicious in there just my own entries for 127.0.0.1 pointing to my ssh tunnel for work.

check the network properties of my NIC in xp, everything looks legit. no weird settings.

check my router, everything is fine except my box is on the DMZ (i forgot i did this a while ago when diagnosing an RDP issue i was having - so i must have been on the DMZ forever and not known it). so this could have been how they got in, dunno.

anyway, try to hit symantec.com in IE7 no dice, same issue dns error not found. opens up just fine in opera.

now using opera i search for unable to reach symantec.com, find an article on hijack this. download it. try to run it. no dice, just like i never tried to run it, tried from double click, tried from CMD.exe console, nothing. it's like it wont run at all.

open group policy editor check my settings, everything is fine nothing there to stop this from happening.

reach for my CD of norton, put it in, nothing. wtf. check the disc it's fine. check the disk in my notebook it's fine.

check device manager, dvd drive is disabled (yellow icon) WTF i used it yesterday.

now i know i'm pwnd.

scour on opera for an hour or more looking for symptoms like this finally pinpoint it down to a possible root kit called TDSS.

reboot in safe mode with networking, download hijack this again, still nope.

getting really pissed now.

open sysinternals process explorer look for anything attached to explorer.exe - nothing fishy there that i can see. wtf.

run sysinternals rootkit detection. aha 2 entries hidden from win32 api. one of them seems related.

reboot with my windows xp cd in, start recovery console, look for UACd.sys - no where to be seen. rootkit revealer said it was \\?\systemroot\system32\drivers or something which SHOULD translate to windows\system32\drivers - but no files are in there matching UAC*.

it occurs to me to try to look for a service. so i issue LISTSVC - reports a ton of stuff and guess what's in this list? UACd.sys - hidden from the standard win32 API but available through recovery console!

so now i issue DISABLE UACd.sys, windows happily disables it.

reboot into windows, double click hijackthis, it works. ok i'm safe temporarily. check symantec.com on firefox ie, works.

ok. download malware bytes malware remover, run a full scan.

after 2 hours, it finds the rootkit, i removed/delete the files. now i'm paranoid i change all my passwords, and i download kaspersky to verify this is gone for good (i'd heard kaspersky was good on forums i did R&D on to find this nasty) it doesn't find anything else.

i scan with spybot search and destroy nothing left. everything is clean.

now i've searched on KVR and arksun says NOD32 is non intrusive to DAW world, i'm buying that one. i did some research and NOD32 seems much better than AVG and avast and Norton.

lesson learned here; don't be naive about it anymore. run AV software, maybe not resident but atleast scan on occasion. my fault for leaving my box in the DMZ but still ...

these malicious blackhat hackers are getting SCARY with how sophisticated they are.

i read that it's possible to get this rootkit from just opening a PDF -- A PDF ffs! i use those all the time for work and for research and what not.

lesson learned. i wont be burnt again if i can help it.

so NOD32 is ok? i trust arksun, so buying NOD32 myself.

i thought "i'm a geek hacker i dont need resident A/V" and now i'm rethinking that. i was able to bail myself out, luckily i know what's going on under the hood, but honestly this would have totally f**ked any one without this kind of computer knowledge.

i post this so that others might actually learn from my folly.

Post

forgot to mention; after i cleaned my box i still didn't have a CD working, did some research on this and this virus uses a lo and hi filter in device manager to prevent my DVD to work. i remove the offending reg keys i find in a google search someone else made, and remove my errored DVD drive, reboot, drive is back.

but now i cant burn anything. it's like it's not detecting it's a burner.

not a huge deal but man this is really really really not cool. it's amazing how sophisticated and scary it's become. now i need to figure out how to tell windows this is a burner. lol.

*sigh*

Post

Wow, you were very persistent in getting rid of this nasty POS virus from your system.

I've been running Kasperski for a year and I'm very happy with it - no infections. It does slow down some things on my pc's, but not audio stuff. Mostly web/surfing/network related. Anyway, when working on music, just go offline and disable the A/V s/w. I heard good things about Nod32 as well. I reckon the top three are Kasperski, Nod32, and Avira. Symantec a/v and avg are both average.

Post

grymmjack wrote:forgot to mention; after i cleaned my box i still didn't have a CD working, did some research on this and this virus uses a lo and hi filter in device manager to prevent my DVD to work. i remove the offending reg keys i find in a google search someone else made, and remove my errored DVD drive, reboot, drive is back.

but now i cant burn anything. it's like it's not detecting it's a burner.

not a huge deal but man this is really really really not cool. it's amazing how sophisticated and scary it's become. now i need to figure out how to tell windows this is a burner. lol.

*sigh*
f**k, now i know what's wrong with my machine, as it is displaying the same behaviour...

in my case, it seems to be tied to a free vst i tried, which is apparently nowhere on that machine (synthfellow's minimoog2003) tho it appears to be resident in my recycle bin...

even deleting the recycle bin doesn't work.

cleaned the reg

ran spybot, nothing.

a squared is disabled.

super antispyware and malwarebytes both show machine as clean.

it is NOT connected to the net.


of my 4 drives, my cd drives won't work...

the cd drive thinks it's a hard drive

my dvd burner thinks its a cd rom.

i can burn AUDIO cd's if i hook up an outboard cd burner...sometimes...,

but cannot back up data or anything else. it just crashes and hangs.

looks like it's f-disk and format time.

thanks for the heads-up.

i MAY try as a last ditch using a crossover cable and seeing if i can clean whatever, but i am not geeky enough to save it i don't think.

sorry to hear you got this kinda nightmare too, bro.

thanks for the headsup.

peace
I wish my lawn was Emo, so it would cut itself...
My Music (updated link)
f**k CANCER

Post

sorry to hear about your trouble grymmjack, had almost the same problem about 6 months ago ,learned my lesson and i have been running a couple of program ever since. same as Yatmandu when ever i go online i always enable them and when i done i run them and disable them. its more work but after my last encounter i learned my lesson, that last problem had me screwed for about 4 days :? and dont want to go through that again.

Post

pinkjimiphoton wrote:f**k, now i know what's wrong with my machine, as it is displaying the same behaviour...

in my case, it seems to be tied to a free vst i tried, which is apparently nowhere on that machine (synthfellow's minimoog2003) tho it appears to be resident in my recycle bin...

even deleting the recycle bin doesn't work.

cleaned the reg

ran spybot, nothing.

a squared is disabled.

super antispyware and malwarebytes both show machine as clean.

it is NOT connected to the net.


of my 4 drives, my cd drives won't work...

the cd drive thinks it's a hard drive

my dvd burner thinks its a cd rom.

i can burn AUDIO cd's if i hook up an outboard cd burner...sometimes...,

but cannot back up data or anything else. it just crashes and hangs.

looks like it's f-disk and format time.

thanks for the heads-up.

i MAY try as a last ditch using a crossover cable and seeing if i can clean whatever, but i am not geeky enough to save it i don't think.

sorry to hear you got this kinda nightmare too, bro.

thanks for the headsup.

peace
hrm. that's slightly different than what i've been dealing with i think - the drive is still detected as a optical media type, but just isn't registered properly with burner software. the built in XP burner stuff worked ok, just not recordnow.

hrm.

here is a link that i found:
http://support.microsoft.com/default.as ... -us;314060

and here:
http://www.tomshardware.com/forum/160533-45-windows

specifically this reply to the thread:
http://www.tomshardware.com/forum/16053 ... para580496

the cdgone.zip thing is what i downloaded and used to make the yellow icon go away and give me access to the drive again.

it sounds like you already have access so i dont know what to say except maybe try booting into safemode, deleting the drive from device manager, and booting back into regular mode. i did this myself a few times before doing the cdgone thing and it didn't matter, i had to run the registry stuff in that zip for my drive letter to come back.

dont give up unless you're sure you cant fix it. i was nearing this point too but man, i feel good and vindicated since persevering.

bad guys: -1
good guys: +1

:)

Post

cain wrote:sorry to hear about your trouble grymmjack, had almost the same problem about 6 months ago ,learned my lesson and i have been running a couple of program ever since. same as Yatmandu when ever i go online i always enable them and when i done i run them and disable them. its more work but after my last encounter i learned my lesson, that last problem had me screwed for about 4 days :? and dont want to go through that again.
in the old DOS days when the worst of the fighting was Stoned.Empire.Monkey.B in your BIOS, i wasn't too worried, i could always reset things always get things back to normal pretty easy not a lot of hidden stupidity in DOS aside from a rogue TSR program.

however, now with XP it's just not smart to not have some kind of protection going. maybe not always resident, maybe just as needed on demand once you're clean, as the newest and latest virii using the as yet unpatched vulnerabilities of xp pro to get inside aren't effected by even the most hardcore resident antivirus stuff, since they are new...

honestly the thing that bothers me most is NOT knowing where the hell it came from. i scanned my wifes machine too and she's clean, which is great when the woman has a clean box ;) but it's sad that she's a newb and i'm this geek and i'm the one with the problem :)

NOD32 seems like a great program and in my research it seems like it will do exactly what i want; stay out of my way, stay lean, and let me go about my every day computing.

thanks for your support cain.

Post

grymmjack wrote:
i was doing some work over the weekend and checking out some websites for research
buy a mag next time :hihi:




(im not mocking you experience, similar happened to me a few weeks back :cry: )

Post

The only time I thought I had a virus/trojan was when I found typing on my laptop to be excruciatingly laggy. Like I'd type a few characters and then they would appear a second later. I was convinced I had a virus or keylogger of some sort. Did a ton of scanning/hijcak this/etc. Nothing to be found. After some time googling I found out that a dead or dying laptop battery can cause this behavior. Sure enough, after removing my POS dell battery (that died one week after the 1 year warranty expired) everything was back to normal.

Often, what seems like a virus is something else.

Post

My experience with the TDSS rootkit was also really frustrating. I helped out two friends that had got this virus. After trying out a lot of programs, Spyhunter got me sorted out. This is payware, but you can also use the demo version. It discovers the rootkit and freezes it. After a reboot you get access to your regular antivirussoftware / antimalware to their job. MaMalwarebytes' Anti-Malware (freeware) did a good job for me after Spyhunter had frozen the virus.
Im going to check out Nod32 now. Programs to stop this virus-shit seems to be an ever growing business, and it is hard to find the best soft for the job....

Post


hrm. that's slightly different than what i've been dealing with i think - the drive is still detected as a optical media type, but just isn't registered properly with burner software. the built in XP burner stuff worked ok, just not recordnow.

hrm.

here is a link that i found:
http://support.microsoft.com/default.as ... -us;314060

and here:
http://www.tomshardware.com/forum/160533-45-windows

specifically this reply to the thread:
http://www.tomshardware.com/forum/16053 ... para580496

the cdgone.zip thing is what i downloaded and used to make the yellow icon go away and give me access to the drive again.

it sounds like you already have access so i dont know what to say except maybe try booting into safemode, deleting the drive from device manager, and booting back into regular mode. i did this myself a few times before doing the cdgone thing and it didn't matter, i had to run the registry stuff in that zip for my drive letter to come back.

dont give up unless you're sure you cant fix it. i was nearing this point too but man, i feel good and vindicated since persevering.

bad guys: -1
good guys: +1

:)
thanks for the encouragement and headsup grymmjack
i will play with it...i've been messing with it for months now, it all went nutz last summer when an external drive went down taking god knows how much stuff with it...330 gigs worth.

i was lucky to get in with a live linux disc and save most of my songs, but i lost most of my apps there....tho my vsti folder survived.

so if i fail, it's still a win, as i saved the most important stuff regardless.
;) :tu:

i'll try your advice, too, and thanks alot for taking the time to advise me!

peace brother

jimi
I wish my lawn was Emo, so it would cut itself...
My Music (updated link)
f**k CANCER

Post

Jeez grymmjack, that sounds like a nightmare. As you say, "it's a good thing i'm a geek"... that sounds like format / reinstall territory for most people.

I use NOD32 on the internet partition of my desktop. It runs transparently, even when updating itself. Obviously, appraising an antivirus isn't easy as one only knows about it's effectiveness when it misses something. However, it's protected my system for over a year now and the only issue I've had was a false positive with a .aif file belonging to Ableton Live on a shared drive. I sent the file for evaluation and now it's ignored.
"are we there yet?"

Post

Kriminal wrote:
grymmjack wrote:
i was doing some work over the weekend and checking out some websites for research
buy a mag next time :hihi:
lol seriously? that's not even funny. :)
(im not mocking you experience, similar happened to me a few weeks back :cry: )
what'd you do? what a/v package do you use any?

Post Reply

Return to “Computer Setup and System Configuration”