M
mm
The saga of Rootkit.win32.TDSS.
My winxp is booting now, but has winxp problems. I'm only posting
about one thing here. The Kaspersky AV boot disk said there was a
problem with my MBR.
I ran mbr.exe on my friend's HP netbook, the one with the mbr problem
according to Kaspersky, and it said
Title: Stealth MBR rootkit/MEbroot/sinowal Detector 0.3.7 by Gmer
device: opened successfully
user: MRR read successfully
kernel: MBR read successfully
user & kernel OK
--------------------------------------------
Then I ran a different program that might have been available at the
same place, but it's 293,000 bytes instead of 77,000. They assign a
random name to it, because some viruses keep track of names and won't
let known things start. (Of course you coudl rename it yourself) but
I guess it's a later version of gmer.exe, that is, later than mbr.exe,
with a gui.
My screen looks like the one at www.gmer.net but my results don't look
anything like theirs. None of my lines are in red, or anything like
the one there.
At the top of of the gui it says GMER 1.0.15.15281
Under Rootkit/Malware it has 10 lines which I don't understand.
Because it doesn't specifically say I have a problem, but it has 10
line with what don't look like file names in the Rootkit/Malware tab
of the program!!??
Each starts with AttachedDevice
In the next column are names like
\FileSystem\ntfs\ntfs
\fastfat\fat 3 of these
\Driver\Tcpip\Device\lp
\tcp
\udp
\Rawlp
\Kbdclass \Device\keyboardClass0
1
And the values for each name are:
SYMEVENT.SYS (Symatec Event Libary/Symatec Corporation) 2 of these
fltMgr.sys(Microsoft Filesystem Filter Manager/Microsofot ) 2
SYMTDI.SYS (Network Dispatch Driver/Symantec Corp.) 4 of these
SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) 2 of these
What do you think this means? (There is no help link or file in the
program.)
------------------
Then I ran TDSSKiller.exe, which took 60 seconds, and scanned about
214 items, and it said that the MBR had Rootkit.win32.TDSS.tdl4, which
except for the last node is what Kaspersky said**. It offered to
Skip, Quarantine, Cure, or Restore. It chose Cure. I don't think you
can Quarantine the mbr!
I ran cure and it said it would be cured after the next boot, but when
I ran TDSSkiller after the next boot, it again said it had the same
malicious object. I didn't want to run Cure again, so I just clicked
on the X in the upper right corner, but again it said it would be
cured after the next reboot. Even though I exited without clicking on
Continue! Strange. It still said it was there after the next boot.
**Wait. TDSSKiller is also by Kaspersky, which is the only AV program
out of 6 bootdisks that I ran that said I had an mbr problem.
My winxp is booting now, but has winxp problems. I'm only posting
about one thing here. The Kaspersky AV boot disk said there was a
problem with my MBR.
I ran mbr.exe on my friend's HP netbook, the one with the mbr problem
according to Kaspersky, and it said
Title: Stealth MBR rootkit/MEbroot/sinowal Detector 0.3.7 by Gmer
device: opened successfully
user: MRR read successfully
kernel: MBR read successfully
user & kernel OK
--------------------------------------------
Then I ran a different program that might have been available at the
same place, but it's 293,000 bytes instead of 77,000. They assign a
random name to it, because some viruses keep track of names and won't
let known things start. (Of course you coudl rename it yourself) but
I guess it's a later version of gmer.exe, that is, later than mbr.exe,
with a gui.
My screen looks like the one at www.gmer.net but my results don't look
anything like theirs. None of my lines are in red, or anything like
the one there.
At the top of of the gui it says GMER 1.0.15.15281
Under Rootkit/Malware it has 10 lines which I don't understand.
Because it doesn't specifically say I have a problem, but it has 10
line with what don't look like file names in the Rootkit/Malware tab
of the program!!??
Each starts with AttachedDevice
In the next column are names like
\FileSystem\ntfs\ntfs
\fastfat\fat 3 of these
\Driver\Tcpip\Device\lp
\tcp
\udp
\Rawlp
\Kbdclass \Device\keyboardClass0
1
And the values for each name are:
SYMEVENT.SYS (Symatec Event Libary/Symatec Corporation) 2 of these
fltMgr.sys(Microsoft Filesystem Filter Manager/Microsofot ) 2
SYMTDI.SYS (Network Dispatch Driver/Symantec Corp.) 4 of these
SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) 2 of these
What do you think this means? (There is no help link or file in the
program.)
------------------
Then I ran TDSSKiller.exe, which took 60 seconds, and scanned about
214 items, and it said that the MBR had Rootkit.win32.TDSS.tdl4, which
except for the last node is what Kaspersky said**. It offered to
Skip, Quarantine, Cure, or Restore. It chose Cure. I don't think you
can Quarantine the mbr!
I ran cure and it said it would be cured after the next boot, but when
I ran TDSSkiller after the next boot, it again said it had the same
malicious object. I didn't want to run Cure again, so I just clicked
on the X in the upper right corner, but again it said it would be
cured after the next reboot. Even though I exited without clicking on
Continue! Strange. It still said it was there after the next boot.
**Wait. TDSSKiller is also by Kaspersky, which is the only AV program
out of 6 bootdisks that I ran that said I had an mbr problem.