BleepingComputer.com: Rootkit.tdss??

Hi,

I am running Windows XP SP3.

The problem first manifested itself shortly after browsing the megaupload.com website. There was a popup in the background I did not notice. Twenty minutes later, Avira Antivir guard detected an infection and reported the following:



As I prepared to have Avira updated to perform a more complete scan of my system, I noticed that something started to take up all my system resources. Since things were running slowly, I opted to restart my computer. As expected, it didn't shut down very quickly. A few strange close program popups appeared before Windows shut down. I recall one program being titled something like hiddenfax... sorry, I don't remember the others; probably should have paid closer attention to them.

Anyways, my computer appeared to be restarting. Then when it hit the windows loading screen, I encountered the BSOD, a screen very similar to the one on this page: http://www.symantec.com/connect/blogs/tidserv-and-ms10-015 . There was an error with the atapi.sys file. I tried restarting using the last known good configuration and safe mode, and still the same BSOD. I finally found some instructions on this page http://www.myfixes.com/articles/system that allowed me to perform a system restore using the Windows recovery console. I was able to boot into Windows. Naturally, I wasn't confident that the problem was resolved, so I ran two programs which have helped me before.

Malwarebytes reported two instances of Rootkit.tdss and one other problem, which I asked the program to correct. They were:

Files:


registry data item:


Hijackthis output a log with some suspicious entries that weren't found in a clean log generated at an earlier time.

I don't know whether or not my computer is still infected. Can someone please advise on next steps to take?

Thank you! Your help is much appreciated!

This post has been edited by csbeginner: 04 June 2011 - 12:48 AM

That certainly matches the M.O. of TDSS so I'm going to ask you to follow this guide here. It will instruct you on how to generate some logs using the DDS and GMER analysis tools and how to post them to the Malware Logs Analyses forum. These logs will provide much more detailed and pertinent information than HijackThis is capable of and will assist the Malware Removal Team member who responds to your post to craft the necessary fixes to clean your system.

Thank you, Andrew!!

I have already backed up some files earlier on another drive. A firewall is already active and any CD emulation software has been disabled. As soon as the scans are done, I will have the output posted in a new thread on that section of the forum.

This post has been edited by csbeginner: 04 June 2011 - 12:28 PM

Malware topic
http://www.bleepingcomputer.com/forums/topic401786.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.