---

Quads wrote:

 

When a person states "Kaspersky tdsskiller.exe finds one memory infected and one file infected. Tries to fix these, but they are always there on the next scan." or similar, there is no speculation on my part I know why that is happening with the old TDSSkiller and why.

 

---

The point the guru is making is that JDM did not say "Kaspersky tsddkiller.exe finds one memory..."

JDM was quoteing from another thread. Look back and you see he says " Though again, I quote from my co-victim from bleeping: " and then the text from 'Dr. Web' until 'scan.' is enclosed in quotation marks indicating that he was quoting.

The situation that existed for one user in another thread does not necessarily apply to another.

Quads just perhaps spends too much time actually working with the malware.  He would have identified the problem from the user's first post. 

As far as the actual question, I am not understanding why cgoldman, who is a computer expert of some renown can't answer it.  I don't see that reloading an operating system, which does not use the entire drive space would do anything to remove any stray rootkit code. 

I have just within the last few hours infected my PC with the latest TDL in the real world and both TDSSkiller and TDSS Remover cannot detect the infection or infected file, I can remove it,  Now I just have to find the easiest way to detect the driver so that at least posters can give me the file infected, even if it has to be scripted to be repaired, like with Houston, I had to know the actual driver involved, due to the random Windows Driver selection.

The guys that update TDSS where quick enough

By the way the poster was receiving the Intrusion attempts same as "Ciaran's screenshots"  So "Norton online support again (7 day warranty on virus removal service) and have spent the last two hours watching them try and remotely fix it (basically they reinstalled atapi.sys)."

"Then did some test internet searches and proceeded to tell me it was fixed. I went into the Norton intrusion log and showed them otherwise(!)"

That's because even with atapi.sys swapped the actually file (driver) infected was not "atapi.sys"

Quads

Hi guys,

So to give you an update:

Based on everything I have read it seemed that simply reinstalling Windows would be ineffectual as it would not wipe out anything at the end of the drive (as other posters also point out). So to check my system further, I ran F-Secure Black Light and GMER, both most recent version from their websites, to try and see if there was a rootkit/hidden drive etc lurking.

Black Light seemed to worked fine, scan only took five mins and came up with no issues.

Running GMER however, was a slightly more challenging experience. I ran the rootkit scan last night, and it seemed to be running very slowly and after five hours it was still going (only 300 gig hard disk, 30% full). At which point my screen saver kicked in (standard Windows starfield) and when I tried to reactivate my screen, the whole system froze for a minute and then I arrived back on my desktop to find GMER had stopped running and closed.

I ran it again this morning and noticed that if I tried to do anything in the system in the  background, even simple things like open a BMP with Paint, it would cause the system to freeze... I had a bit of a poke around Google and could see a few other reports of this kind of behaviour when running GMER, but no clarity on whether this was program/system issue or the result of an infection. So I left it alone to run, and it took about four hours this time to actually complete. It simply scanned through everything and didn't give me any alerts. Didn't give me any notifications at all of any kind, just finished. I saved the log and then clicked on "okay" to exit the program, but then my system just locked up. I finally managed to get task manager open, CPU at 100%. Couldn't do anythng else or screen dump processed so just physically rebooted the computer.

So I have run Black Light and GMER and nothing has been detected (though GMER was strange, as per above). I can provide logs if they are of any use to anyone.

But I'm still not sure if everything is okay as I just looked at my Norton Security History and can see that an hour after the GMER scan completed, that there have been several Staistical/SampleSubmissions:

Statistical Submission: Sucpicious.S.Vundo.2  - submission details says "farbuffer.ppl followed by a detection digest of code

Statistical Submission: Sucpicious.S.AD  - submission details says "farbuffer.ppl followed by a detection digest of code

Sample Submission: Sucpicious.S.Vundo.2 - submission details only says "farbuffer.ppl"

Sample Submission: Sucpicious.S.AD - submission details only says "farbuffer.ppl"

I have no idea what this is.

And then it gets a bit weirder. I just opened GMER and my Norton froze, CPU at 100% again and had to manually reboot system. After the reboot I can see that at the time Norton froze an "Unauthorized Access (Access Protect Data)"  was logged.  The "actor" was the GMER exe file and the target was a Norton file C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe, Target PID: 1572.  So I am thinking that perhaps this is nothing to worry about here as the Unauthorised Access Alert was just Norton logging that GMER was trying to access a protected file? But the thing is, this was only on me opening GMER i.e. I didn't run a scan, I opened and closed it within 20 seconds and this happened? Not sure why it locked the system (though as above GMER keeps doing so).

And this still doesn't explain the statistical submissions that occured an hour after I had finsihed the GMER scan and half an hour before the unauthoirsed access. During this time, I did not do anything to my PC or use it at all.

So, really from this, my questions are:

-Is this kind of erratic behaviour normal for GMER or is something undetected playing with it?

-Does a clean scan from Black Light and GMER indicate that there is no rootkit and my system is clean?

-are the Norton submissions indicative of something still on my system that has not been resolved? 

-rereading a bit of stuff from other threads, and the one that this originally generated from (http://community.norton.com/t5/Norton-Internet-Security-Norton/HTTPs-Tidserv-Request-intrusions/td-p...) it seems that tdssl keeps infecting it's target driver, even after attempted removal. IFI had a tdssl infection and if it had not been sucessfully removed, would it not keep triggering the Norton intrusion prevention alerts that made me aware of it in the first place? i.e. when tdssl reinstalls itself, does it display the same symptoms?  

Okay, before I confuse anyone uneccessarily, supplement to my above post!

Have searched my computer and discovered that the suspicious file farbuffer.ppl is actually left over in a temp directory from when I tried to install the Kaspersky on line scanner a couple of days ago.,,, It's been a long couple of days!

Also I did a bit of reading on the Norton statistical/sample submissions, there's a good post here:

http://community.norton.com/t5/Norton-360/npGoogleOneClick8-dll/m-p/104987

that explains the process and says that this is Norton sending off a suspcious file for analysis, and if there are any issues detetced, Symantec Security response will provide notification.

So assuming all this is correct, then that part of my post is a non issue, and the only questions I have pending are:

-The behaviour of GMER - program related or affect of an infection? At this stage, I'm leaning towards program/system and not infection.

-Would a clean scan from Black Light and GMER (even with it's problematic behaviour, I got there eventually) be reliable enough to give me confidence there's no rootkit?

-and my final question from the previous post slightly reworded/expanded... Trying to keep it simple but need to explain my thought process:

If this was a tdssl/rootkit infection, is there potentially still something at the end of the hard drive even though Black Light and GMER scans are clean? And if so, is this the part of the virus that would cause the driver files to continually be reinfected, even after virus removal? If this was the case, I would expect that driver reinfection would then cause Norton to give me the same kind of Instrusion Prevention alerts as had occured originally, as the virus would still be trying to do its thing?

Or by having replaced the infected driver is it possible there is still something at the end of the disk that is essentially dormant, a body without a head?

As of right now, I am not getting any Noton issues etc. so if there is an infection it is not doing anything that I can discern.

Hi JDM:

I can't answer most of your questions, but I believe that Norton has to have auto-protect disabled to run GMER, and some systems will blue screen.  It can also be run in safe mode.

I don't know if you have found this thread and the attached articles on these type of infections, but it is extremely interesting.

http://community.norton.com/t5/Tech-Outpost/Technical-Development-TDSS-Rootkits/m-p/174026#M42