GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

infected with win32rootkit.tdss

View previous topic View next topic Go down

infected with win32rootkit.tdss

Post by shushon on Thu Mar 19, 2009 2:53 am

Please help, I came in contact with this virus a few months ago, and I thought it was gone. At that time I simply ran malwarebytes.
But sunday the 15th of this month, pc began to do odd things again. First it would not allow me to open Avira to scan or use as protection. Then random music would play. Also it would not let me run malwarebytes. Then the redirecting started. I ran ad aware and it told me of the win32rootkit.tdss, said it would be removed after reboot, to no avail it remained. Then the computer or should I say virus seemed to get smarter. If i put the virus name in search, any search, it would show me sites to get information, but when clicking on site it would redirect me. Actually I am writing this message on my lap top, because the home pc will not let me go to your site, it redirects. Its getting worse, so it seems. I have no log to post at this time.
But I will be honest and tell you it did allow me to go to a similar site to post my problem, they did get back with me, had me do a number of things and try to get logs and the only successful log that I could send was from mgtools. I wasnt able to succesfully run combofix, superspyware, or retrieve a log for errorsmart. Also please not that the pc will not allow me delete malwarebytes or avira from my pc. I am contacting you, because I really feel that the other site is not responding well. Very slow in response.
I am stumped and very upset with this. This is a new pc, only about 8 months old. Please please help me
Note: I am going to email your address to myself and see if the pc will let me get on your site thru that link. Success!!! I was able to fool the virus and now have your site, (as of now) pulled up on the infected pc.

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Doctor Inferno on Thu Mar 19, 2009 5:01 am

Hello,

Read this topic:

[You must be registered and logged in to see this link.]

And post a HijackThis log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Thu Mar 19, 2009 8:51 pm

I ran the java and downloaded, it was succesful. Adobe reader update would not connect, tried several times, it just would not connect, even though it was saying connecting. I currently have adobe reader 8. I tried to download in safe mode, it would not load. Also windows update will not update at all, I have gotten the error message 0x80072f78 and when I tried to query microsoft the window would shut down on me.
Thank you for responding so quickly.

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Thu Mar 19, 2009 8:56 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Thu Mar 19, 2009 11:26 pm

Avenger would not run from the desktop, I get a screen, but it is so brief, there is no way to read it. I also tried doing this in firefox and on safe mode, to no avail, it still defeats me.
Thanks for the quick response. I really appreciate the help

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Thu Mar 19, 2009 11:37 pm

Hello.
If this is TDSS, I have yet to see any TDSS variant that has stopped the avenger, only one rootkit disabled the avenger, but can't hide from GMER.

Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe. Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard. Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

The log will be quite big, so you may need to upload it at a file hosting website like like [You must be registered and logged in to see this link.].


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Thu Mar 19, 2009 11:55 pm

The file would not open, like with all zip files, i download them to desktop and try to open them, i get the hour glass and nothing, no window no prompt, its like it tries to open but nothing happens.
Please dont tell me that I am basically up the creek with out a paddle. I am really frightened now.

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 12:37 am

I'm not giving up yet, we have more tricks up our sleeve. I have renamed GMER.exe to runthis.com, so hopefully it will bypass the malware. Wink

Download from here:
[You must be registered and logged in to see this link.]

On the link, look down the bottom half of the page for "Download with filefactory basic", then type in the security code, and it gives you the download link for it.
See if runthis.com will run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 1:04 am

I got it to run!!! But i havent ran it due to a warning box popped up saying WARNING GMER has found system modification which might have been caused by rootkit activity says do you want to fully scan your system? YES? OR NO? what should i do about warning, am afraid at this point to move on with out instruction. being careful

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 1:05 am

Told ya we have a few aces left. Smile

Select NO to the scan, all I need is the rootkits service name, then we can disable it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 1:28 am

GMER 1.0.15.14939 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-19 21:19:41
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- System - GMER 1.0.15 ----

Code 8f8fcb63b7e57edadea0e91ca4f45135.sys (ckmd/Noves Inc) ZwCreateKey [0xBA0DBC8E]
Code 8A8A6826 ZwEnumerateKey
Code 8A70ACA0 ZwFlushInstructionCache
Code 8f8fcb63b7e57edadea0e91ca4f45135.sys (ckmd/Noves Inc) ZwOpenKey [0xBA0DBC10]
Code 8f8fcb63b7e57edadea0e91ca4f45135.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xBA0DB999]
Code 8f8fcb63b7e57edadea0e91ca4f45135.sys (ckmd/Noves Inc) IoCreateFile
Code 8A8A441E IofCallDriver
Code 8A8A0326 IofCompleteRequest
Code 8f8fcb63b7e57edadea0e91ca4f45135.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\8f8fcb63b7e57edadea0e91ca4f45135.sys (*** hidden *** ) [BOOT] 8f8fcb63b7e57edadea0e91ca4f45135 <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACinapaqfh.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----



is this what you needed??????????? Thank you Thank you for helping me!!!!! if this isnt what you need um tell me where i am to find the log you do need. Cheesy Grin (sparkly

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 1:40 am

Hello.
Wow, one big horrible circle of malware.
There is TWO rootkits.

UACd.sys <== this one, the avenger can take down no problem.
8f8fcb63b7e57edadea0e91ca4f45135 <== this one, is stopping the avenger from running.

I've battled against the random name one twice now, and you'll be my third.

We can use GMER to disable both of them.

Select >>>>>
Click the CMD tab
In the top box paste the following.
gmer -del service UACd.sys
Click Run.
You should get a result saying "Command executable successfully", or something along that line.

Now to disable the next rootkit.

Select >>>>>
Click the CMD tab
In the top box paste the following.
gmer -del service 8f8fcb63b7e57edadea0e91ca4f45135
Click Run.
You should get a result saying "Command executable successfully" again.

Now both are disabled, we have to take them down, but we can't use the avenger. But the tool we are going to use is EXTREMELY powerful. In your state right now, we have to disable any protection programs you have running, because not only will malware interfere, the protection programs will interfere.

I need to know what AV (antivirus) you are running.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 1:44 am

um this is the message i got from the first one
'C:\Documents' is not recognized as an internal or external command,
operable program or batch file.
do you want me to continue to the 2nd one?

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 1:47 am


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to rename Combofix so malware won't stop it running.

    1 If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2 During the download, rename Combofix to Combo-Fix as follows:





    3 It is important you rename Combofix during the download, but not after.
    4 Please do not rename Combofix to other names, but only to the one indicated.
    5 Close any open browsers.
    6 Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avira)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 1:55 am

well... I got combo fix to desk top, renamed it like you told me to, pressed the here button to get rid of avira, and it took me totally out of all my windows!!! sheesh. I bet your like this chick is got problems lol, got to laugh or i may cry. lol. But please also note not only do i have avira I have malwarebytes, and neither one of them will run or can be removed from my system. Sigh

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 9:17 am

Are you able to boot to safe mode?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 2:22 pm

Yes so far I am able to go into safe mode

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 2:55 pm

Okay, see if Combofix will run in safe mode when it's renamed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 3:34 pm

ran combofix, downloaded the windows componet, then combofix ran stopped and gave me this message
combofix has detected the presence of rootkit activity and needs to reboot the machine, kindly note down on paper the name of each file. this is what I noted these
c:\windows\system32\drivers\uacinapaqfh.sym
\uacikpahhiq.dll
\uacvsdumaqs.dat
\uacfketevcu.dll
\uacoqislaoe.dll
\uacmhtvjyxo.dll
\uacstuaaleo.dll
\uacysvuwinf.log
\uacxldsnekc.log
\uacglyetsob.log
Then pc powered off and rebooted in normal mode and ran scan. I am sending you the log in the following post of that scan.

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 3:36 pm

ComboFix 09-03-18.01 - Owner 2009-03-20 11:18:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3063.2733 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dcbaebeacb.dll
c:\windows\system32\drivers\UACinapaqfh.sys
c:\windows\system32\UACfketevcu.dll
c:\windows\system32\UACglyetsob.log
c:\windows\system32\UACikpahhiq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmhtvjyxo.dll
c:\windows\system32\UACoqislaoe.dll
c:\windows\system32\UACstuaaleo.dll
c:\windows\system32\UACvsdumaqs.dat
c:\windows\system32\UACxldsnekc.log
c:\windows\system32\UACysvuwinf.log
c:\windows\system32\vumer.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 19:41 . 2009-03-19 19:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 12:42 . 2009-03-19 19:17 d-------- c:\program files\NOS
2009-03-19 12:42 . 2009-03-19 19:17 d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-19 12:36 . 2009-03-19 19:41 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-17 21:03 . 2009-03-17 21:03 1,339,834 --a------ C:\MGtools.exe
2009-03-17 20:38 . 2009-03-17 20:38 d-------- c:\documents and settings\Owner\Application Data\ErrorSmart
2009-03-16 14:30 . 2009-03-16 14:30 19,727 --a------ c:\windows\system32\AAWService_2009_03_16_14_30_30.dmp
2009-03-16 14:18 . 2009-03-16 14:18 19,727 --a------ c:\windows\system32\AAWService_2009_03_16_14_18_45.dmp
2009-03-16 13:50 . 2006-07-01 02:30 d-------- c:\documents and settings\Administrator.MONSTERPUTER\WINDOWS
2009-03-16 13:50 . 2008-03-31 22:22 d-------- c:\documents and settings\Administrator.MONSTERPUTER\Application Data\Symantec
2009-03-16 13:50 . 2008-03-31 22:20 d-------- c:\documents and settings\Administrator.MONSTERPUTER\Application Data\SampleView
2009-03-16 13:50 . 2009-03-16 13:50 d-------- c:\documents and settings\Administrator.MONSTERPUTER
2009-03-16 13:42 . 2009-03-17 21:45 d-------- C:\MGtools
2009-03-16 13:42 . 2009-03-17 21:45 63,529 --a------ C:\MGlogs.zip
2009-03-16 00:19 . 2009-03-16 00:19 19,939 --a------ c:\windows\system32\AAWService_2009_03_16_00_19_41.dmp
2009-03-15 23:33 . 2009-03-15 23:35 d-------- c:\documents and settings\Owner\Application Data\ErrorFix
2009-03-15 23:01 . 2009-03-15 23:01 22,056 --a------ c:\windows\system32\AAWService_2009_03_15_23_01_11.dmp
2009-03-15 21:10 . 2009-03-15 21:10 19,939 --a------ c:\windows\system32\AAWService_2009_03_15_21_10_16.dmp
2009-03-15 20:58 . 2009-03-15 21:09 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-15 20:45 . 2009-03-15 20:46 22,265 --a------ c:\windows\system32\AAWService_2009_03_15_20_45_58.dmp
2009-02-24 14:32 . 2009-02-24 14:32 d-------- c:\documents and settings\Owner\Application Data\HP
2009-02-23 00:06 . 2009-02-23 00:06 268 --ah----- C:\sqmdata03.sqm
2009-02-23 00:06 . 2009-02-23 00:06 244 --ah----- C:\sqmnoopt03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 23:41 --------- d-----w c:\program files\Java
2009-03-19 01:51 1,432 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-03-18 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-16 01:28 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-15 19:28 --------- d-----w c:\program files\PokerStars
2009-02-24 18:28 --------- d-----w c:\program files\Windows Live
2009-02-13 16:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-01 02:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-09-05 19:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-05 94208]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"ShowWnd"="ShowWnd.exe" [2005-01-27 c:\windows\ShowWnd.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]
"ModPS2"="ModPS2Key.exe" [2006-11-07 c:\windows\ModPS2Key.exe]
"CHotkey"="zHotkey.exe" [2006-11-07 c:\windows\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2008-10-16 98984]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-07-01 69692]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d91da9c7-ff8d-11dc-8ad7-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-16 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix\ErrorFix.exe []

2009-03-16 c:\windows\Tasks\ErrorFix Scan.job
- c:\program files\ErrorFix []

2009-03-19 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2009-03-19 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - c:\windows\system32\vumer.dll
HKCU-Run-ErrorFix - c:\program files\ErrorFix\ErrorFix.exe
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.MONSTERPUTER\Application Data\Mozilla\Firefox\Profiles\3nqurh7y.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-20 11:22:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\8f8fcb63b7e57edadea0e91ca4f45135.sys 39936 bytes executable
c:\windows\system32\_8f8fcb63b7e57edadea0e91ca4f45135.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8f8fcb63b7e57edadea0e91ca4f45135]
"ImagePath"="system32\8f8fcb63b7e57edadea0e91ca4f45135.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Lexmark 2600 Series\lxdnmsdmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdncoms.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-20 11:25:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 15:25:04

Pre-Run: 135,244,611,584 bytes free
Post-Run: 136,867,393,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

191 --- E O F --- 2009-03-15 07:00:58

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 4:00 pm

Very well done, the TDSS rootkit is gone, but that random named one still remains. We have to run Combofix again with additional directives.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

ROOTKIT::
c:\windows\system32\8f8fcb63b7e57edadea0e91ca4f45135.sys
c:\windows\system32\_8f8fcb63b7e57edadea0e91ca4f45135.sys_.vir

File::
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\ErrorSmart Scheduled Scan.job
c:\windows\Tasks\ErrorSmart Scheduled Scan.job
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\MGtools.exe

Folder::
c:\program files\ErrorFix
c:\program files\ErrorSmart
c:\documents and settings\Owner\Application Data\ErrorSmart

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8f8fcb63b7e57edadea0e91ca4f45135]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d91da9c7-ff8d-11dc-8ad7-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 4:12 pm

ComboFix 09-03-18.01 - Owner 2009-03-20 12:05:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3063.2542 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
C:\MGtools.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\ErrorSmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\ErrorSmart
c:\documents and settings\Owner\Application Data\ErrorSmart\Log\2009 Mar 19 - 01_17_43 PM_250.log
c:\documents and settings\Owner\Application Data\ErrorSmart\Log\2009 Mar 19 - 07_05_40 PM_531.log
c:\documents and settings\Owner\Application Data\ErrorSmart\Log\2009 Mar 19 - 12_15_00 PM_359.log
C:\MGtools.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
c:\windows\system32\_8f8fcb63b7e57edadea0e91ca4f45135.sys_.vir
c:\windows\system32\8f8fcb63b7e57edadea0e91ca4f45135.sys
c:\windows\Tasks\ErrorFix Scan.job
c:\windows\Tasks\ErrorSmart Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-19 19:41 . 2009-03-19 19:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 12:42 . 2009-03-19 19:17 d-------- c:\program files\NOS
2009-03-19 12:42 . 2009-03-19 19:17 d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-19 12:36 . 2009-03-19 19:41 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-16 14:30 . 2009-03-16 14:30 19,727 --a------ c:\windows\system32\AAWService_2009_03_16_14_30_30.dmp
2009-03-16 14:18 . 2009-03-16 14:18 19,727 --a------ c:\windows\system32\AAWService_2009_03_16_14_18_45.dmp
2009-03-16 13:50 . 2006-07-01 02:30 d-------- c:\documents and settings\Administrator.MONSTERPUTER\WINDOWS
2009-03-16 13:50 . 2008-03-31 22:22 d-------- c:\documents and settings\Administrator.MONSTERPUTER\Application Data\Symantec
2009-03-16 13:50 . 2008-03-31 22:20 d-------- c:\documents and settings\Administrator.MONSTERPUTER\Application Data\SampleView
2009-03-16 13:50 . 2009-03-16 13:50 d-------- c:\documents and settings\Administrator.MONSTERPUTER
2009-03-16 13:42 . 2009-03-17 21:45 d-------- C:\MGtools
2009-03-16 13:42 . 2009-03-17 21:45 63,529 --a------ C:\MGlogs.zip
2009-03-16 00:19 . 2009-03-16 00:19 19,939 --a------ c:\windows\system32\AAWService_2009_03_16_00_19_41.dmp
2009-03-15 23:33 . 2009-03-15 23:35 d-------- c:\documents and settings\Owner\Application Data\ErrorFix
2009-03-15 23:01 . 2009-03-15 23:01 22,056 --a------ c:\windows\system32\AAWService_2009_03_15_23_01_11.dmp
2009-03-15 21:10 . 2009-03-15 21:10 19,939 --a------ c:\windows\system32\AAWService_2009_03_15_21_10_16.dmp
2009-03-15 20:58 . 2009-03-15 21:09 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-15 20:45 . 2009-03-15 20:46 22,265 --a------ c:\windows\system32\AAWService_2009_03_15_20_45_58.dmp
2009-02-24 14:32 . 2009-02-24 14:32 d-------- c:\documents and settings\Owner\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 23:41 --------- d-----w c:\program files\Java
2009-03-19 01:51 1,432 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-03-18 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-16 01:28 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-15 19:28 --------- d-----w c:\program files\PokerStars
2009-02-24 18:28 --------- d-----w c:\program files\Windows Live
2009-02-13 16:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-04-01 02:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-09-05 19:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 16:07:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-05 94208]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"ShowWnd"="ShowWnd.exe" [2005-01-27 c:\windows\ShowWnd.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]
"ModPS2"="ModPS2Key.exe" [2006-11-07 c:\windows\ModPS2Key.exe]
"CHotkey"="zHotkey.exe" [2006-11-07 c:\windows\zHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2008-10-16 98984]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-07-01 69692]
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic7n9g1n.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-20 12:07:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Lexmark 2600 Series\lxdnmsdmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdncoms.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-20 12:10:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 16:10:50
ComboFix2.txt 2009-03-20 15:25:08

Pre-Run: 136,863,916,032 bytes free
Post-Run: 136,847,237,120 bytes free

171 --- E O F --- 2009-03-15 07:00:58

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 4:17 pm

Hello.
That was quick.

How is the machine now? The random name rootkit is gone too.

I see you have MySpace IM. Be careful what you surf or click on MySpace, because places like Facebook and MySpace are malware writers favourite play ground.

Please en-able the Avira guard now and run the update so it can get it's updates, because right now it's outdated and you are the perfect target for another malware attack.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 4:26 pm

Thank you so much for your time and patience with me. I am updating and running avira scan at this moment, also i finally got the windows update site to reconize that i need updates, wouldnt do that before, so i will load those when I am finished with avira. Question, did you see anything i need to delete from scans to other non needed things? Also is avira what i should be using, do you recommend something else? As to the myspace , well you know how kids are and thats basically who uses it, but i will inform my daughter and her friends to please be careful with that site. Again Thank You! You really have truly helped me and I will sing thy praises to the masses. lol

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 4:53 pm

Hello.
You can delete these now, they aren't needed.

Delete these folders in bold:
c:\documents and settings\Administrator.MONSTERPUTER\Application Data\Symantec
C:\MGlogs.zip
c:\documents and settings\Owner\Application Data\ErrorFix
C:\MGtools

The Symantec folder is a leftover folder from when you had Symantec/Norton installed.

You can also delete these AAWservice dump files, they are saved files from Adaware, logs, etc.

c:\windows\system32\AAWService_2009_03_16_14_30_30.dmp
c:\windows\system32\AAWService_2009_03_16_14_18_45.dmp
c:\windows\system32\AAWService_2009_03_16_00_19_41.dmp
c:\windows\system32\AAWService_2009_03_15_23_01_11.dmp
c:\windows\system32\AAWService_2009_03_15_21_10_16.dmp
c:\windows\system32\AAWService_2009_03_15_20_45_58.dmp

Notice the date in the file name, so they have a few different dates in the name.

I also see Poker software.
c:\program files\PokerStars

I see a lot of advertisements on Tv from them, but I would still be careful using sites like them, along with the Facebook/Myspace warning.

We have to remove Combofix now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Let me know once you've done that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 5:26 pm

ok combofix uninstall successful , i had to turn off avira to do so, then immediately turned it back on.
Here is the Avira scan log I received, I am sending it, because I got alot of trojan and rootkit messages while running scan.
Also I deleted all of the things you mentioned above the combofix delete so you suggest to not use pokerstars? or just be careful?


Avira AntiVir Personal
Report file date: 2009-03-20 12:21

Scanning for 1309985 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MONSTERPUTER

Version information:
BUILD.DAT : 8.2.0.347 16934 Bytes 2009-03-16 14:45:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 2008-11-18 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008-05-26 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008-06-12 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008-05-26 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 23:53:06
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 2009-03-11 00:59:21
ANTIVIR3.VDF : 7.1.2.196 258560 Bytes 2009-03-20 16:20:08
Engineversion : 8.2.0.120
AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-31 21:16:26
AEscript.DLL : 8.1.1.67 364923 Bytes 2009-03-20 16:20:17
AESCN.DLL : 8.1.1.8 127346 Bytes 2009-03-05 21:26:30
AERDL.DLL : 8.1.1.3 438645 Bytes 2008-11-04 19:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 2009-03-05 02:09:37
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 15:01:53
AEHEUR.DLL : 8.1.0.107 1663352 Bytes 2009-03-20 16:20:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 15:01:52
AEGEN.DLL : 8.1.1.30 336245 Bytes 2009-03-20 16:20:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-14 16:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-18 02:05:56
AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-14 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008-07-09 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008-05-16 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 2008-07-31 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 2008-05-09 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008-06-12 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-22 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008-06-12 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008-06-12 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008-06-27 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: 2009-03-20 12:21

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'lxdncoms.exe' - '1' Module(s) have been scanned
Scan process 'lxdnserv.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'MySpaceIM.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'zHotkey.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'lxdnmsdmon.exe' - '1' Module(s) have been scanned
Scan process 'lxdnmon.exe' - '1' Module(s) have been scanned
Scan process 'ModPS2Key.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\WINDOWS\system32\8f8fcb63b7e57edadea0e91ca4f45135.sys.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49fbc579.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbaebeacb.dll.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfketevcu.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACikpahhiq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmhtvjyxo.dll.vir
[DETECTION] Is the TR/TDss.ror Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACoqislaoe.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACstuaaleo.dll.vir
[DETECTION] Is the TR/TDss.roq Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\_8f8fcb63b7e57edadea0e91ca4f45135.sys_.vir.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\_8f8fcb63b7e57edadea0e91ca4f45135_.sys.zip
[0] Archive type: ZIP
--> 8f8fcb63b7e57edadea0e91ca4f45135.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.39936 root kit
[NOTE] The file was moved to '4a29c645.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\__8f8fcb63b7e57edadea0e91ca4f45135.sys__.vir.zip
[0] Archive type: ZIP
--> _8f8fcb63b7e57edadea0e91ca4f45135.sys_.vir
[DETECTION] Contains recognition pattern of the RKIT/Agent.39936 root kit
[NOTE] The file was moved to '49fbc6b9.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_UACinapaqfh_.sys.zip
[0] Archive type: ZIP
--> UACinapaqfh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a04c6e8.qua'!
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0000020.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000117.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\'


End of the scan: 2009-03-20 12:49
Used time: 28:22 Minute(s)

The scan has been done completely.

7470 Scanning directories
245271 Files were scanned
13 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
9 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
245256 Files not concerned
7120 Archives were scanned
2 Warnings
13 Notes

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 5:28 pm

Hello.

Pokerstars is a legit site, but Poker sites often have ads on them that aren't filtered out, so clicking ads may lead you to a harmful site.

Avira only found system restore points and Combofix quarantine folder.

Delete this folder in bold:
C:\Qoobox

Lets reset system restore manually.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 5:36 pm

Ok System restore points done the Qoobox could not be found in the search, when i was deleting the other things I believe not a 100% sure, but that i saw it in one of those componets, so maybe it was already deleted?

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 5:39 pm

I noticed in my add and remove, a file called browser address error redirector, is this something i need to delete?

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by Belahzur on Fri Mar 20, 2009 5:44 pm

Hello.
You can uninstall that too, it's part of Google software.

I see you have Adobe Reader version 8 installed on this machine, this is old and has holes malware can use to abuse to re-infect you, so we need to close these holes.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Adobe Reader 8
  • Adobe Reader 8.1.2
Then download and install version 9 from here:
[You must be registered and logged in to see this link.]

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: infected with win32rootkit.tdss

Post by shushon on Fri Mar 20, 2009 6:07 pm

I downloaded the adobe9.1. System is a go. Will also re add ad aware and maybe another, thinking i will also change my current firewall to one you recommend. I will take the resolved issue survey. And again, I can not state how much I truly appreciate the time and effort you have took to help me with all my issues. I hope to not be a repeat user of this site. But if so happens that I need help, you will be the first I contact. Thank You! for saving my pc!

shushon
Novice
Novice

Status :
Online
Offline

Posts : 48
Joined : 2009-03-19
OS : windows xp home version

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum