|
Post by katrina on Nov 2, 2014 12:00:25 GMT -8
Back on the bad computer in Normal Mode. Norton is requesting action on "Boot.Cidox Remove Failed" Action suggested is to "Rescan". I am hitting "Close" (rather than Apply All)and turning off the machine. Will monitor from my laptop for further instructions.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 12:01:09 GMT -8
Now in Normal Mode the system should be a lot better., maybe not completely but still better
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 12:01:58 GMT -8
Hmmmmmm Bootkit too
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 12:34:06 GMT -8
Please read carefully and follow these steps. Go to support.kaspersky.com/viruses/common/5350 Click on 1. How to disinfect a compromised system to expand the question then click on the TDSSkiller.exe green link to download and transfer the download to your desktop. Double click on TDSSKiller.exe that is on the Desktop to run the application, Open the Change Parameters option and select the detect TDL File system Click OK
Then on Start Scan.After the scan a report will be created the report can also be found in your root directory, (usually C:\ ) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back, or paste back in a message.
Quads
|
|
|
Post by katrina on Nov 2, 2014 13:13:12 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 13:41:58 GMT -8
OK
You may want to do this in a Safe Mode or have it so that Norton is disabled due to Norton / Symantec also detection these, so we have no fight between TDSSkiller and Norton
Have all the same settings to scan with TDSSkiller, change the detections below so that TDSSkiller will do this
2:48:57.0596 0x0664 Detected object count: 2 12:48:57.0596 0x0664 Actual detected object count: 2 12:49:40.0871 0x0664 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user 12:49:40.0871 0x0664 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip <<============Change so it will delete the TDFS 12:49:40.0917 0x0664 \Device\Harddisk0\DR0\Partition1 - copied to quarantine 12:49:40.0917 0x0664 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot 12:49:40.0917 0x0664 \Device\Harddisk0\DR0\Partition1 - ok 12:49:40.0917 0x0664 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - User select action: Cure <<===== Yes is Correct
Quads
|
|
|
Post by katrina on Nov 2, 2014 14:06:17 GMT -8
When the threats detected came up only TDFS was detected and I changed it to delete as requested
Attachment Deleted
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 14:23:46 GMT -8
Ok, is there a 2nd log (between the 2 you have given) showing what has happened to the other detection??
Now until we are finished Norton may still detect Boot.Cidox as the items are in our quarantine folders until we clean up the tools, OR Norton has the listing in the unresolved threats list until that is cleared. But no point in doing that until everything is in the clear.
Items like.
13:57:39.0532 0x0204 \Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine 13:57:39.0532 0x0204 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine 13:57:39.0532 0x0204 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine 13:57:39.0563 0x0204 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine 13:57:39.0595 0x0204 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine 13:57:39.0595 0x0204 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine 13:57:39.0595 0x0204 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine 13:57:39.0610 0x0204 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine 13:57:39.0610 0x0204 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine 13:57:39.0626 0x0204 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine 13:57:39.0626 0x0204 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine 13:57:39.0641 0x0204 \Device\Harddisk0\DR0\TDLFS\dkmks.tmp - copied to quarantine
Man your system had a fair few different malware.
Quads
|
|
|
Post by katrina on Nov 2, 2014 14:37:38 GMT -8
It's like an onion...
The first time I did the TDSS I did not change any default choices that came up. Did it remove it then (since cure was default)? There are only those two files in the directory.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 2, 2014 14:48:44 GMT -8
Ok
Is your system working better now, 2 scripts and TDSSkiller later, it should be.
Quads
|
|