how can I get rid of a tdss (without starting my system)?

Discussion in 'other security issues & news' started by hihat, Mar 14, 2011.

Thread Status:
Not open for further replies.
  1. hihat
    Offline

    hihat Registered Member

    Hi there,

    by downloading an executable that looked like a freeware program from the internet my trouble started. It wanted to open the command prompt repeatedly and didn't let me do anything else than clicking on no buttons. All of a sudden a kind of fake security application was installed. When I tried to clean it by running drweb cureit, a rootkit was detected and just when drweb cureit tried to delete it (I have a licence of both eset smart security and drweb av), the machine stopped working. It doesn't even restart in safe mode but stop all the time with a bluescreen during the boot process. I spent my sunday trying to fix it but no success so far. I was replacing the master boot record with ultimatebootcd4win, but didn't help, I was running drweb livecd which took more than 20 hours when it stopped with a segmentation fault. It discovered few things but not the rootkit anymore. Hitman Pro gave a hint to Alureon/TDSS but didn't solve the problem. I also tried the other av software coming with ultimatebootcd for windows. Combofix unfortunately doesn't work for a 64bit win7 (although it said it did).

    I cannot boot the system anymore, not even in safe mode - it stops with a bluescreen. The repair options from win7 and it's disc fail. I guess the harddisc driver was manipulated by the TDSS (4005 according to drweb).

    what else could I do?

    Thanks for ideas, help, guidance, advice.
    And have a good (better) start into the new week.

    David
  2. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Do you know what file is infected? atapi.sys?
    You can use the DR. Web CD or other Live media to access the harddrive and replace the infected .sys file with a known good file from the Windows disc.

    Kaspersky rescue or Live CD.

    If you can get to the desktop a renamed mbam.exe=>explorer.exe might work.

    Other people with more experience may provide some better answers, so hang in there for the moment.
  3. hihat
    Offline

    hihat Registered Member

    thanks for the idea. I can try to replace atapi.sys and will let you know. What about mbam.exe? what is it? why to rename it to explorer.exe? You mean malware antibytes, so that it won't be blocked from running?
    I can only boot with live-cds, not into the system. The bluescreen when trying to start my system appears so shortly I can't read anything, so not sure what was modified / affected. Strangely drweb, mcaffee / stinger and hitman pro don't detect something anymore, although in the first run, hitman pro gave a hint to a hidden hard disc driver that might be a sign of alureon.
    Malware antibytes would have to be installed but that doesn't work with a livecd/stick-system. Could it clean the system from the rootkit after all?
  4. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

  5. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    FYI, I didn't say replace atapi.sys but replace the infected Windows driver with a known good, if you know which file is infected. It is not necessarily atapi.sys but in many cases can be.
  6. hihat
    Offline

    hihat Registered Member

    I tried atapi.sys without effect. How to find out which driver is causing the bluescreen? I thought I could let windows create a protocol (F8...) but there is no ntbtlog.txt created. Part of the virus strategy? Would it work to just replace all files in \system32\drivers with the ones from a running x64 windows 7 - system?
  7. TheKid7
    Offline

    TheKid7 Registered Member

    I would not spend a lot of time struggling with your situation. I would concentrate more on recovering important files from the hard drive. I would probably use Puppy Linux to do the important file recovery, but there are many other options available.

    After that I would do a "zero write" to all sectors of the hard drive using bootable media. Some "zero write" options are: Hard drive manufacturer's bootable diagnostics disk, Terabyte's CopyWipe, Partition Wizard bootable CD, BCWipe (Payware).

    After the "zero write" to all hard drive sectors: Partition/format the hard drive, then reinstall the Windows Operating System, Windows Updates, Software, etc.

    You should start a Windows System Partition Imaging Program. Many people recommend Macrium Reflect Free. I use Image for Windows/Image for DOS/Image for Linux.

    If an Malware Infection event occurs again, just restore a "known clean System Partition Image". The System Partition Image restore process only takes a few minutes. Malware problem solved.
    Last edited: Mar 14, 2011
  8. moontan
    Offline

    moontan Registered Member

    try the Pause/Break button, near the PrintScreen button.

    beside that, i think TheKid7 advice is a good one.
    just nuke the whole drive.
  9. hihat
    Offline

    hihat Registered Member

    Thank you all for your advice and recommendations.
    This was a pretty sophisticated system and I planned to do an image soon, I just wanted to finish the configuration before - and then it happened.
    I replaced several .sys-files, including the classpnp.sys (where it stopped) and the cd.sys (just the next one in the boot order) without success. I acted stupidly getting into these troubles but I find it somewhat disturbing (of an OS) that a complete reinstallation is necessary just because of a manipulated hardware driver.

    Pause / Break didn't work by the way...

    Anyway, thank you again, I really appreciate your contributions.
Thread Status:
Not open for further replies.