Evening all,
I’ve become a victim of sibling stupidity, and as a result now have an infected netbook.
My brother ran a file that claimed to be a software crack, which was infected with the trojan mentioned in the subject.
Avast wasn’t running at the time, but on scanning the offending file, detects the aforementioned trojan.
I have run a boot-time scan, but detected nothing.
I have also tried using DrWeb’s LiveUSB to no avail.
So I suppose the good news is I know exactly what caused the damage, but have no idea how to reverse it. I’m hoping someone here will be able to help…
I realise you’ll be wanting more information, but will wait for specific instructions, since I’m not sure if what you’ll want will be related to the offending file or my system in general.
Thanks in advance.
Hi
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds.scr to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post DDS.txt back to topic.
(additional options > attach)
Thanks for your help. Log attached. (attempted to post straight to topic, but exceeded max character limit.)
Download Norton uninstall tool to uninstall the remnants of Norton Internet Security
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN
Do you have a Combofix log (C:\Combofix.txt)
Please attach it
Inside the log - Warning: possible TDL3 rootkit infection!
Try this utility from Kaspersky Lab - http://support.kaspersky.com/downloads/utils/tdsskiller.zip
c:\docume~1\carl\locals~1\temp\catchme.sys Check in VT http://www.virustotal.com/index.html
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F394E7]<<
detected hooks:
\Driver\atapi DriverStartIo → 0x86F39332
missing atapi.sys reference exists >>UNKNOWN [0x86F394E7]<<
we can suspect TDSS RK
Thanks for the replies.
Norton Removal Tool - BSOD on first run, seemed to finish properly after reboot.
ComboFix Log - attached. This is from a run before I conatcted you, so please let me know if I should re-run.
Kaspersky TDSS Killer - gets to 80% on inititalization and then I get asked if I’d like to debug it with the Visual Studio JIT Debugger…I’m assuming it’s crashing at 80%.
Went to load catchme.sys into that online virus checker, but it had vanished.
Remove Combofix icon from the desktop
Please download new ComboFix from to your Desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Deactivate/turn off your protective software.
Open notepad and copy/paste the text present inside the code box below:
File::
c:\docume~1\Carl\LOCALS~1\Temp\jgameenp.sys
Driver::
jgameenp
Save the file to your desktop and name it CFScript.txt
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.
http://img835.imageshack.us/img835/5660/cfscriptb4.gif
This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.
Step 2
Download TDSSKiller on the Desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
When you download the program do the following:
Deactivate/turn off your protective software.
Close running programs.
Run program. Press the button Start scan.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
If malicious objects be found, make sure that you choose “Cure”
http://support.kaspersky.com/images/support_new/2663-2-eng.png
and click Continue, and then click Reboot Now.
Send me the contents of a log from the following location:
C: \TDSSKiller_version_DD.MM.GG_HH.MM.SS.txt
note:
(DD-day, MM-month, year-GG, HH-hour, MM minutes, SS seconds; date and time the log is made)
In your next reply, please post these log(s):
1 ComboFix log
2 TDSSKiller log
Still no luck with TDSSKiller. Screenshot attached showing error. ComboFixLog attached also.
Thanks again for your continued efforts.
Restart the computer
Then menu will appear where you should choose Microsoft Windows Recovery Console
http://img835.imageshack.us/img835/2078/23757241.jpg
Start will start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.
http://img339.imageshack.us/img339/9746/54609694.jpg
Similarly, you can be asked for password - type in it or just press Enter if you do not have.
Type in fixmbr and confirm with Enter
http://img822.imageshack.us/img822/9463/16789652.jpg
If there is any kind of inquiry,press Y and press Enter
In your next reply, please post new fresh DDS log
New DDS log attached.
Running the fix on the master boot record only seems to have removed my ability to access linux, and hasn’t changed any of the options related to windows (I used to have a dual-boot setup with Windows 7 RC, but removed the RC once it expired.)
Thanks again…
argus, please, consider http://forum.avast.com/index.php?topic=19387.msg607589#msg607589
Tech I’m sorry, I have a prepared tutorial (copy \ paste)
this is much clearly
Please, do not use images hosted in imageshack.us here in forums. It could be not being displayed in many computers.
I’m sorry 
@Iesu
dual-boot repair with this tool EasyBCD http://neosmart.net/dl.php?id=1
rootkit is gone 
any problems?
lol. I have no idea what step along the way actually removed it, but thankyou very much for all your help!
I haven’t noticed any further attempts to access malicious URLs, so no more problems. Thanks again.
It is necessary to uninstall Combofix
Start >> Run
Combofix /Uninstall
Enter