Jump to content

How to tell when infected, post rootkit.tdss steps


Recommended Posts

Hi,

I'm trying to find out if it is possible to tell when a computer has been infected.

I believe I was infected when trying to update my music artwork and clicked on a link to a lyrics site. I was running the Symantec Endpoint Protection and on XP.

Shortly after that I noticed the "Windows Police Pro" pop-up and within minutes of my not being able to identify the program or shut is down I pulled my internet plug.

I then proceeded to use malwarebytes, spybot search and destroy and antiviral to fix the problem in safemode. That computer has remained offline (with one 5 minute exception) since I first pulled the internet plug.

In the searches I found that the rootkit.tdss was installed. It has been cleaned, (the machine rebooted, re-scanned, re-deleted, rebooted, rescanned and reports clean).

I see in another post that the rootkit.tdss is serious. I can't tell when nor how long it was installed - was it installed with the Windows Police pro or before?

My other workstation (the one I am on now) was used transfer files on compact flash to the infected one. It is windows 7 beta and runs antivir, and scans clean with malwarebytes and antivir -- should I worry about it being infected?

I don't know what my next steps should be - should I wipe the OS on the workstation (it is the primary store for the family data and has all of our programs on it, including one I want to use on Monday like my palm pilot) or is it OK to use?

If I do have to wipe it (unpleasant thought!) is the data OK if the scans come up clean? I

Link to post
Share on other sites

Welcome to Malwarebytes! Well your next step is to copy & paste the above in the HiJackLog Forum as a New Topic, Let the experts answer your questions, and they have the tools to get you fixed up. I can't comment out in the General forum, Logs are not to be posted here. But I'll give you all the info you need: regards.... (be advised there busy there, it may take a day or two)

follow these instructions & post it in the HiJackLog Forum please

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

I see in another post that the rootkit.tdss is serious. I can't tell when nor how long it was installed - was it installed with the Windows Police pro or before?

My other workstation (the one I am on now) was used transfer files on compact flash to the infected one. It is windows 7 beta and runs antivir, and scans clean with malwarebytes and antivir -- should I worry about it being infected?

I don't know what my next steps should be - should I wipe the OS on the workstation (it is the primary store for the family data and has all of our programs on it, including one I want to use on Monday like my palm pilot) or is it OK to use?

If I do have to wipe it (unpleasant thought!) is the data OK if the scans come up clean? I

Link to post
Share on other sites

I understand your peoblem, see this thread please: http://www.malwarebytes.org/forums/index.php?showtopic=12264

Thats why you need to go into the HiJack Forum: They will exam your logs, and answer your question:

follow these instructions & post it in the HiJackLog Forum please

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

If these questions can't be answered here then please close the post.

I really need to get that workstation back, I just can't tell if the data is safe to use if everything scans clean.

You have posted no logs, the only evidence of a infection where you have to format your Hard Drive, is what you saw in the HJK forum.... What If I said yes, and it could have been repaired & your data saved?

Link to post
Share on other sites

You have posted no logs, the only evidence of a infection where you have to format your Hard Drive, is what you saw in the HJK forum.... What If I said yes, and it could have been repaired & your data saved?

I posted in the HiJack Forum as you suggested. So far there's been no input. I know you are busy, so I expected a delay but hoped for a reply of some kind, even if wait... you're 999 in the queue :)

Link to post
Share on other sites

There very busy in that forum, Once you post a HiJack Log it may take 24-48 hrs for a reply, did you read: http://www.malwarebytes.org/forums/index.php?showtopic=9573

NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

As soon as someone is available they will assist you. Follow the instructions in Post # 2 above... after you made your post please wait.... there are a bunch of people ahead of you... any questions?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.