Here's the reply that I got from bleepingcomputers when I told about my problem posting my questions the "ordinary way":
Just post your problem in the Virus Removal Forum and explain that you
cannot post the logs due to the TDSS rootkit. The helpers will understand
and know what to do.
Moved to own thread for better exposure.
I used Norton's "Paid Spyware & Virus Removal Service" Chat. They remotely took over my PC and did they search and destroy magic. I got a 7 day warranty during which I was supposed to use my PC normally and see my problem reoccurred. Everything went fine for the first several days, until my Firefiox started giving it's Server not found error and IE gave me it's Cannot load page errors, which led initially to my finding out that I had TDSS Rootkit.. So I again contacted Norton and they reran their search and destroy magic. This time after they wear done I ran both Malwarebytes and SuperAnti Spyware scans and only got reports showing:
Adware.SmartShopper
Adware.MyWebSearch
Adware.ShopperReports
Trojan.Vundo
Rogue.SpywareCease
Trojan.DNSChanger
and:
Adware.Zango/SmartShopper
Adware.MyWebSearch
Adware.HotBar/ShopperReports(Low Risk)
Adware.Zango/ShopperReport
Adware.Flash Tracking Cookie
Trojan.DNS-Changer(Hi-Jacked DNS)
Malware.Trace
I also tried HiJackThis but couldn't make heads or tales out of their scan results. So far I've not any problems like I had before, but it's been only a day since the second "removal".
jrszabo:
Were all of those items fully removed by MBAM and SAS? Are you now getting clean scans from both as well as Norton? Are you getting any odd entries blocked in intrusion prevention logs?
The only thing that NIS 2010 found was Heuristic Virus. It was quarantined by NIS. I did nothing with MalwareBytes or SAS expect to scan my system. I wanted NIS to do it's "business", instead MalwareBytes or SAS.
Since Malwarebytes and SAS are by different companies, they have different definitions. This helps to find things that the other can't because they don't have those definitions yet. None of them can take out a rootkit.
Your call.
Please download , install and run this tool
http://security.symantec.com/nbrt/npe.asp
Post the results here
Befiore I Downloaded anything at leatr tell me what I'm downloading and what it supposed to accomplish, please.
I wonder why6 NZIS did find zany of the same items the Malwarebytes and SAS . like the Trojan etc. and at least give the option of removing them?
As I remarked earlier, since different developers have different definitions, and different scanning engines, they can all find different things, or find the same things but have different names.
Definitions can only be written as each security developer finds the malicious files and writes the code to detect them. All of the developers search for malware so that they can keep up with the malicious code. Some find one and some find another.
The NPE, Norton Power Eraser is a Symantec product, but it was not designed to deal with rootkits. It can't swap files, it can only delete them. Not a good idea.
Dr. Web can replace files, but may not be up to date on the latest infections, in which case, it won't work.
That is why a manual removal, at an experienced malware removal forum is the best solution, in my humble opinion. There is much less risk to your system.
Again what about the Trojan "items" that bout Malwarebytes and SuperAnti Spyware found? Or should I just have Malwarebytes and SuperAnti Spyware deal with the items that they found?
I'm supposed to use both of these or one the other? But since Norton already tried to remove it twice, I think that I save your post for future reference.
If they all try to remove it and can't, or if it comes back, the next step is manual removal, my friend. At least MBAM and SAS will not cripple your machine.
John -- everyone -- ignore what my message says since I missed the end of Stu's link which goes to the Norton Power Eraser which is a very different kettle of fish to the Norton Bootable Recovery Tool.
What I wrote is correct about the NBRT but not about how the NPE works -- I don't use the NPE
jrszabo wrote:Befiore I Downloaded anything at leatr tell me what I'm downloading and what it supposed to accomplish, please.
Hi John,
Stu's Please download , install and run this tool http://security.symantec.com/nbrt/npe.asp refers to the Norton Bootable Recovery Tool which enables you to run a Norton scan from outside Windows which is to what Dale suggests elsewhere of pulling the disk and connecting it to another computer.
You get full instructions on the link he refers you to and it's an ISO file that you have to burn to a CD using the special technique put an ISO image on a disk which is not the same as burning a file to a CD. It's in most Burning software like Nero and Roxio but I downloaded and used a specialized tool called ImgBurn because it is so simple and you don't have to hunt so much to find the right thing to do!
But if you have the Norton CD/DVD that comes with a retail copy of Norton you can boot to that and from the menu that you use to install Norton -- that you do not need to do -- choose the menu item on the screen to scan the computer. I think it will then create a section of RAM memory, install itself there (not on your hard drive) update itself or at least the definitions and run and then when you reboot your computer it cleans up what it put in RAM ....
Hope that clarifies it and is correct -- if not I'm sure someone will jump in and put me right!
Hugh
John -- everyone -- ignore what my message says since I missed the end of Stu's link which goes to the Norton Power Eraser which is a very different kettle of fish to the Norton Bootable Recovery Tool.
What I wrote is correct about the NBRT but not about how the NPE works -- I don't use the NPE
Floating_Red wrote:- TDDS Rootkit and Volsnap.sys
[edit: Fixed posting error.]
TDL3 (+) selects a driver that Windows requires, not just those 2 if it decides.
This includes "atapi.sys", pci.sys, dmio.sys, i8042prt.sys, imapi.sys................................................................. do I need to continue.
It's not just those 2 TDSS can choose.
Quads
Thanks for translating Dale for me. Since I'm not at home (i.e. no printer access) I think I should wait until I get home on Monday. It's better for me to print out your reply. I have several Norton retail CDs at home but not the one for NIS 2010 (This only a download). I think that I NIS 2009 at home. Dos it matter which one I use?
John,
If you can use your computer and are away from home I would wait until you are back where I think you may have a fallback computer if or when ......
Did you see my correction to the message I posted -- I misread the URL and did not try it first and Stu is suggesting is suggesting you use a different tool called the Norton Power Eraser.
When I mentioned Dale it was a reference to the similar thread on Compuserve where Dale, the WIzop, insists that he always pulls the hard drive and cleans it using a different computer and that everyone should do it that way! But I don't really see you pulling the hard drive out of your laptop and quads another regular here says that he does not do it for rootkits and he does have tremendous experience.
But it's one thing for an expert to have a way of doing things that always works for him and for that to be the best thing for someone who is not an expert to use -- that's why I use Wizards when offered, another thing at upsets our mutual friend!
I saw your correction because I saw the 1/4" size (at least on my screen) letters of the word IGNORE
You only need to continue it want dummies like to understand your post!