Vicious Viruses and Horrible Horses

[rf6647]

The new thread is good to go. It will focus on the remaining symptom. Unless people know how to change the profile, there are extra clicks to stay focussed on the latest post or remember to click the icon.

For this thread, I wish I could understand logs from gmer.exe.
To me this would be 'conclusive' - IMHO

Yes, my final desparate act is 
deploytk.dll --->  deploytk.dlx

Re-scan using ComboFix. Post the log.

The log shoud detect the name change. If file of same name appears, as well, then I will scratch my head. This is not a legit system file. If resurrected, the events logs should error-out and other events will document it creation (this is a maybe). No error events would make me lean back toward running gmer.exe in the future - assuming reaching a dead end in the new thread.

[edit] If the file is in use, then the rename will be blocked.

 

[DjKraid]

I say....redo from start..."format c:" and new windows

 

[rf6647]

DjKraid,
If we go this route, Low Level format is required. A complete, fresh re-write of track zero is required (as a minimum).

Kernal level rootkits are very invasive. A large bank in England (I believe) forbids the cleaning & re-use of hard drives so infected. It is difficult to judge if this is an over-reaction or a tell that the infection is more sinister that publicly discussed.

 

[kimsland]

I'm not posting for the fun of it, but I believe removing the Partition is better than format
I also agree that removal of Partition may also require low level format initially, as through knowledge of recovery tools, you can still recover data (or Virus\Rootkit...etc) on harddrives. So zero write may not be a bad idea

Also sergeant259, your new thread "click click"....(and you kept repeating this word "click"!) was removed by the Administrator here. Please be careful how you create new threads. You can learn more on how to create new threads h e r e

 

[sergeant259]

Doesn't sound good...

rf6647 -- I renamed the extension .dll --> .dlx and ran combofix. The log is attached. I don't see any error events, but the .dlx is listed right at the top.

I need a new hard drive?

 

[rf6647]

SGT - Thanks for doing the work for me.

Conclusion: I cannot condemn the drive.
Conclusion deploytk.dll is NOT an active element of an infection.

Observation: Rename to filename.dlx did not trigger a protective response to re-create filename.dll or other 'generated' filename.

Observation: Another thread's logs with same filename has timestamps roughly corresponding to download of ComboFix. Not conclusive.

Background:

GMER.EXE can investigate this drive for kernal rootkits, (for a select few), since it has been cleared by MBAB & CatchMe.

I experimented on my laptop using GMER.EXE. No harmful effects.
HOWEVER, I have unanswered questions. Interpretation is not straightforward in all cases.

I have joined malwarebytes.forums to acquire knowledge by observing interpretations of the report. It is going slow for me. The logs / reports are in the body of each thread & I miss my old Unix tools to 'sed / grep' the text.

Attached find my diary for this thread. It focussed on the 'peeling of the onion' with successive applications of MBAM. It also looks at ComboFix.

Drilling in - the descriptors become stronger
Hit the core - delete on reboot
Mop up - quarantine files & folders
Finalize - ComboFix

Summary: Give them a policy & they take the machine!
To my untrained eye, it is surprising that none of this triggered 'catchme' (user level rootkits). Therefore the TDSS infection 'wormed' its way into the computer where is corrupted the basics of XP to see files, monitor tasks, control access to the internet. I just gotta know.