What is KVR Audio? | Submit News | Advertise | Developer Account

Options (Affects News & Product results only):

OS:
Format:
Include:
Quick Search KVR

"Quick Search" KVR Audio's Product Database, News Items, Developer Listings, Forum Topics and videos here. For advanced Product Database searching please use the full product search. For the forum you can use the phpBB forum search.

To utilize the power of Google you can use the integrated Google Site Search.

Products 0

Developers 0

News 0

Forum 0

Videos 0

Search  

TDSS root kit - what a nightmare

Configure and optimize you computer for Audio.

Moderator: Moderators (Main)

grymmjack
KVRAF
 
9026 posts since 6 Apr, 2003

Postby grymmjack; Sun Feb 15, 2009 11:33 am TDSS root kit - what a nightmare

just a heads up guys, I have absolutely no f'n idea how this got on my machine, but it did. it's a good thing i'm a geek otherwise i'd be reinstalling right now and maybe then not even clean.

i was doing some work over the weekend and checking out some websites for research then all of a sudden images started loading broken, css stylesheets didn't seem to be working, i thought it was me. i restarted firefox (i dont use IE) and same thing happened. hrm...

something strange.

tried firefox in safe mode. same effec.t

hrm! strange indeed. not a browser thing. made sure router was ok, power cycled. connection seems good.

reboot. try firefox again. same thing.

ok now i'm starting to wonder. i open IE and same exact behavior. ok now something is definitely not right. i open opera (as a web developer i have every browser we support installed and this includes opera 9 thankfully). opera works just fine.

i've never heard of firefox being screwy.

on a hunch i reboot and dual boot into mint linux. linux is fine.

reboot back into xp, i'm sure i've got a virus or something. as soon as i get in i head for an antivirus vendor that i know of and trust over the years (though do not so much anymore after researching i'm going with NOD32 this time) symantec.

type in symantec.com and hit enter in firefox, dns not found.

WTF

check hosts file in c:\windows\system32\drivers\etc - nothing suspicious in there just my own entries for 127.0.0.1 pointing to my ssh tunnel for work.

check the network properties of my NIC in xp, everything looks legit. no weird settings.

check my router, everything is fine except my box is on the DMZ (i forgot i did this a while ago when diagnosing an RDP issue i was having - so i must have been on the DMZ forever and not known it). so this could have been how they got in, dunno.

anyway, try to hit symantec.com in IE7 no dice, same issue dns error not found. opens up just fine in opera.

now using opera i search for unable to reach symantec.com, find an article on hijack this. download it. try to run it. no dice, just like i never tried to run it, tried from double click, tried from CMD.exe console, nothing. it's like it wont run at all.

open group policy editor check my settings, everything is fine nothing there to stop this from happening.

reach for my CD of norton, put it in, nothing. wtf. check the disc it's fine. check the disk in my notebook it's fine.

check device manager, dvd drive is disabled (yellow icon) WTF i used it yesterday.

now i know i'm pwnd.

scour on opera for an hour or more looking for symptoms like this finally pinpoint it down to a possible root kit called TDSS.

reboot in safe mode with networking, download hijack this again, still nope.

getting really pissed now.

open sysinternals process explorer look for anything attached to explorer.exe - nothing fishy there that i can see. wtf.

run sysinternals rootkit detection. aha 2 entries hidden from win32 api. one of them seems related.

reboot with my windows xp cd in, start recovery console, look for UACd.sys - no where to be seen. rootkit revealer said it was \\?\systemroot\system32\drivers or something which SHOULD translate to windows\system32\drivers - but no files are in there matching UAC*.

it occurs to me to try to look for a service. so i issue LISTSVC - reports a ton of stuff and guess what's in this list? UACd.sys - hidden from the standard win32 API but available through recovery console!

so now i issue DISABLE UACd.sys, windows happily disables it.

reboot into windows, double click hijackthis, it works. ok i'm safe temporarily. check symantec.com on firefox ie, works.

ok. download malware bytes malware remover, run a full scan.

after 2 hours, it finds the rootkit, i removed/delete the files. now i'm paranoid i change all my passwords, and i download kaspersky to verify this is gone for good (i'd heard kaspersky was good on forums i did R&D on to find this nasty) it doesn't find anything else.

i scan with spybot search and destroy nothing left. everything is clean.

now i've searched on KVR and arksun says NOD32 is non intrusive to DAW world, i'm buying that one. i did some research and NOD32 seems much better than AVG and avast and Norton.

lesson learned here; don't be naive about it anymore. run AV software, maybe not resident but atleast scan on occasion. my fault for leaving my box in the DMZ but still ...

these malicious blackhat hackers are getting SCARY with how sophisticated they are.

i read that it's possible to get this rootkit from just opening a PDF -- A PDF ffs! i use those all the time for work and for research and what not.

lesson learned. i wont be burnt again if i can help it.

so NOD32 is ok? i trust arksun, so buying NOD32 myself.

i thought "i'm a geek hacker i dont need resident A/V" and now i'm rethinking that. i was able to bail myself out, luckily i know what's going on under the hood, but honestly this would have totally f**ked any one without this kind of computer knowledge.

i post this so that others might actually learn from my folly.
grymmjack
KVRAF
 
9026 posts since 6 Apr, 2003

Postby grymmjack; Sun Feb 15, 2009 11:39 am

forgot to mention; after i cleaned my box i still didn't have a CD working, did some research on this and this virus uses a lo and hi filter in device manager to prevent my DVD to work. i remove the offending reg keys i find in a google search someone else made, and remove my errored DVD drive, reboot, drive is back.

but now i cant burn anything. it's like it's not detecting it's a burner.

not a huge deal but man this is really really really not cool. it's amazing how sophisticated and scary it's become. now i need to figure out how to tell windows this is a burner. lol.

*sigh*
Yatmandu
KVRist
 
91 posts since 18 Oct, 2008

Postby Yatmandu; Sun Feb 15, 2009 11:47 am

Wow, you were very persistent in getting rid of this nasty POS virus from your system.

I've been running Kasperski for a year and I'm very happy with it - no infections. It does slow down some things on my pc's, but not audio stuff. Mostly web/surfing/network related. Anyway, when working on music, just go offline and disable the A/V s/w. I heard good things about Nod32 as well. I reckon the top three are Kasperski, Nod32, and Avira. Symantec a/v and avg are both average.
pinkjimiphoton
KVRAF
 
4794 posts since 9 Oct, 2005, from New England

Postby pinkjimiphoton; Sun Feb 15, 2009 11:54 am

grymmjack wrote:forgot to mention; after i cleaned my box i still didn't have a CD working, did some research on this and this virus uses a lo and hi filter in device manager to prevent my DVD to work. i remove the offending reg keys i find in a google search someone else made, and remove my errored DVD drive, reboot, drive is back.

but now i cant burn anything. it's like it's not detecting it's a burner.

not a huge deal but man this is really really really not cool. it's amazing how sophisticated and scary it's become. now i need to figure out how to tell windows this is a burner. lol.

*sigh*


f**k, now i know what's wrong with my machine, as it is displaying the same behaviour...

in my case, it seems to be tied to a free vst i tried, which is apparently nowhere on that machine (synthfellow's minimoog2003) tho it appears to be resident in my recycle bin...

even deleting the recycle bin doesn't work.

cleaned the reg

ran spybot, nothing.

a squared is disabled.

super antispyware and malwarebytes both show machine as clean.

it is NOT connected to the net.


of my 4 drives, my cd drives won't work...

the cd drive thinks it's a hard drive

my dvd burner thinks its a cd rom.

i can burn AUDIO cd's if i hook up an outboard cd burner...sometimes...,

but cannot back up data or anything else. it just crashes and hangs.

looks like it's f-disk and format time.

thanks for the heads-up.

i MAY try as a last ditch using a crossover cable and seeing if i can clean whatever, but i am not geeky enough to save it i don't think.

sorry to hear you got this kinda nightmare too, bro.

thanks for the headsup.

peace
I wish my lawn was Emo, so it would cut itself...
My Music (updated link)
f**k CANCER
User avatar
cain
KVRian
 
954 posts since 15 Jan, 2005, from los angeles,ca

Postby cain; Sun Feb 15, 2009 12:10 pm

sorry to hear about your trouble grymmjack, had almost the same problem about 6 months ago ,learned my lesson and i have been running a couple of program ever since. same as Yatmandu when ever i go online i always enable them and when i done i run them and disable them. its more work but after my last encounter i learned my lesson, that last problem had me screwed for about 4 days :? and dont want to go through that again.
grymmjack
KVRAF
 
9026 posts since 6 Apr, 2003

Postby grymmjack; Sun Feb 15, 2009 12:31 pm

pinkjimiphoton wrote:f**k, now i know what's wrong with my machine, as it is displaying the same behaviour...

in my case, it seems to be tied to a free vst i tried, which is apparently nowhere on that machine (synthfellow's minimoog2003) tho it appears to be resident in my recycle bin...

even deleting the recycle bin doesn't work.

cleaned the reg

ran spybot, nothing.

a squared is disabled.

super antispyware and malwarebytes both show machine as clean.

it is NOT connected to the net.


of my 4 drives, my cd drives won't work...

the cd drive thinks it's a hard drive

my dvd burner thinks its a cd rom.

i can burn AUDIO cd's if i hook up an outboard cd burner...sometimes...,

but cannot back up data or anything else. it just crashes and hangs.

looks like it's f-disk and format time.

thanks for the heads-up.

i MAY try as a last ditch using a crossover cable and seeing if i can clean whatever, but i am not geeky enough to save it i don't think.

sorry to hear you got this kinda nightmare too, bro.

thanks for the headsup.

peace


hrm. that's slightly different than what i've been dealing with i think - the drive is still detected as a optical media type, but just isn't registered properly with burner software. the built in XP burner stuff worked ok, just not recordnow.

hrm.

here is a link that i found:
http://support.microsoft.com/default.as ... -us;314060

and here:
http://www.tomshardware.com/forum/160533-45-windows

specifically this reply to the thread:
http://www.tomshardware.com/forum/16053 ... para580496

the cdgone.zip thing is what i downloaded and used to make the yellow icon go away and give me access to the drive again.

it sounds like you already have access so i dont know what to say except maybe try booting into safemode, deleting the drive from device manager, and booting back into regular mode. i did this myself a few times before doing the cdgone thing and it didn't matter, i had to run the registry stuff in that zip for my drive letter to come back.

dont give up unless you're sure you cant fix it. i was nearing this point too but man, i feel good and vindicated since persevering.

bad guys: -1
good guys: +1

:)
grymmjack
KVRAF
 
9026 posts since 6 Apr, 2003

Postby grymmjack; Sun Feb 15, 2009 12:36 pm

cain wrote:sorry to hear about your trouble grymmjack, had almost the same problem about 6 months ago ,learned my lesson and i have been running a couple of program ever since. same as Yatmandu when ever i go online i always enable them and when i done i run them and disable them. its more work but after my last encounter i learned my lesson, that last problem had me screwed for about 4 days :? and dont want to go through that again.


in the old DOS days when the worst of the fighting was Stoned.Empire.Monkey.B in your BIOS, i wasn't too worried, i could always reset things always get things back to normal pretty easy not a lot of hidden stupidity in DOS aside from a rogue TSR program.

however, now with XP it's just not smart to not have some kind of protection going. maybe not always resident, maybe just as needed on demand once you're clean, as the newest and latest virii using the as yet unpatched vulnerabilities of xp pro to get inside aren't effected by even the most hardcore resident antivirus stuff, since they are new...

honestly the thing that bothers me most is NOT knowing where the hell it came from. i scanned my wifes machine too and she's clean, which is great when the woman has a clean box ;) but it's sad that she's a newb and i'm this geek and i'm the one with the problem :)

NOD32 seems like a great program and in my research it seems like it will do exactly what i want; stay out of my way, stay lean, and let me go about my every day computing.

thanks for your support cain.
Kriminal
KVRAF
 
18337 posts since 1 Oct, 2001, from England

Postby Kriminal; Sun Feb 15, 2009 12:51 pm

grymmjack wrote:
i was doing some work over the weekend and checking out some websites for research


buy a mag next time :hihi:




(im not mocking you experience, similar happened to me a few weeks back :cry: )
Yatmandu
KVRist
 
91 posts since 18 Oct, 2008

Postby Yatmandu; Sun Feb 15, 2009 1:04 pm

The only time I thought I had a virus/trojan was when I found typing on my laptop to be excruciatingly laggy. Like I'd type a few characters and then they would appear a second later. I was convinced I had a virus or keylogger of some sort. Did a ton of scanning/hijcak this/etc. Nothing to be found. After some time googling I found out that a dead or dying laptop battery can cause this behavior. Sure enough, after removing my POS dell battery (that died one week after the 1 year warranty expired) everything was back to normal.

Often, what seems like a virus is something else.
ronergeist
KVRist
 
60 posts since 29 Sep, 2005, from Bergen, Norway

Postby ronergeist; Sun Feb 15, 2009 1:19 pm

My experience with the TDSS rootkit was also really frustrating. I helped out two friends that had got this virus. After trying out a lot of programs, Spyhunter got me sorted out. This is payware, but you can also use the demo version. It discovers the rootkit and freezes it. After a reboot you get access to your regular antivirussoftware / antimalware to their job. MaMalwarebytes' Anti-Malware (freeware) did a good job for me after Spyhunter had frozen the virus.
Im going to check out Nod32 now. Programs to stop this virus-shit seems to be an ever growing business, and it is hard to find the best soft for the job....
pinkjimiphoton
KVRAF
 
4794 posts since 9 Oct, 2005, from New England

Postby pinkjimiphoton; Sun Feb 15, 2009 1:54 pm


hrm. that's slightly different than what i've been dealing with i think - the drive is still detected as a optical media type, but just isn't registered properly with burner software. the built in XP burner stuff worked ok, just not recordnow.

hrm.

here is a link that i found:
http://support.microsoft.com/default.as ... -us;314060

and here:
http://www.tomshardware.com/forum/160533-45-windows

specifically this reply to the thread:
http://www.tomshardware.com/forum/16053 ... para580496

the cdgone.zip thing is what i downloaded and used to make the yellow icon go away and give me access to the drive again.

it sounds like you already have access so i dont know what to say except maybe try booting into safemode, deleting the drive from device manager, and booting back into regular mode. i did this myself a few times before doing the cdgone thing and it didn't matter, i had to run the registry stuff in that zip for my drive letter to come back.

dont give up unless you're sure you cant fix it. i was nearing this point too but man, i feel good and vindicated since persevering.

bad guys: -1
good guys: +1

:)


thanks for the encouragement and headsup grymmjack
i will play with it...i've been messing with it for months now, it all went nutz last summer when an external drive went down taking god knows how much stuff with it...330 gigs worth.

i was lucky to get in with a live linux disc and save most of my songs, but i lost most of my apps there....tho my vsti folder survived.

so if i fail, it's still a win, as i saved the most important stuff regardless.
;) :tu:

i'll try your advice, too, and thanks alot for taking the time to advise me!

peace brother

jimi
I wish my lawn was Emo, so it would cut itself...
My Music (updated link)
f**k CANCER
jonnyG
KVRian
 
1340 posts since 24 Dec, 2005, from Devon, England

Postby jonnyG; Sun Feb 15, 2009 2:00 pm

Jeez grymmjack, that sounds like a nightmare. As you say, "it's a good thing i'm a geek"... that sounds like format / reinstall territory for most people.

I use NOD32 on the internet partition of my desktop. It runs transparently, even when updating itself. Obviously, appraising an antivirus isn't easy as one only knows about it's effectiveness when it misses something. However, it's protected my system for over a year now and the only issue I've had was a false positive with a .aif file belonging to Ableton Live on a shared drive. I sent the file for evaluation and now it's ignored.
"are we there yet?"
grymmjack
KVRAF
 
9026 posts since 6 Apr, 2003

Postby grymmjack; Sun Feb 15, 2009 2:38 pm

Kriminal wrote:
grymmjack wrote:
i was doing some work over the weekend and checking out some websites for research


buy a mag next time :hihi:



lol seriously? that's not even funny. :)

(im not mocking you experience, similar happened to me a few weeks back :cry: )


what'd you do? what a/v package do you use any?

Moderator: Moderators (Main)

Return to Computer Setup and System Configuration