Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

re-quietman7's removal of Win32.TDSS.rtk


  • Please log in to reply
16 replies to this topic

#1 spikey_hedgehog

spikey_hedgehog

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 11 February 2009 - 06:54 AM

Hello, Please can anyone help, I see other people are plagued with the Win32.TDSS.rtk trojan.............I have followed quietman7's instructions on downloading and using the mbam removal software plus re-boot and this is the text file results.


Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 3

11/02/2009 11:18:03
mbam-log-2009-02-11 (11-18-03).txt

Scan type: Quick Scan
Objects scanned: 55189
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplore.exe (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Internet Explorer\iexplore.exe (Spyware.Agent) -> Delete on reboot.


After the re-boot my Internet Explorer browser shortcut icons don't work but Firefox does, I suppose I'll have to re-download IE7 and 6.
I have also downloaded super-anti spyware & ATF cleaner in readiness to continuing following quietman7's further instructions.
Thanks in Advance
Chris

BC AdBot (Login to Remove)

 


#2 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 11 February 2009 - 11:29 AM

After the first quick scan with mbam I re-booted and it got rid of a few things, since then I have run spybot search and destroy and it showed that Win32.TDSS.rtk was still there as two trojan entries.............since then I have done a full scan with mbam and this is the report. Should I now continue with the rest of the programs advised to use.
Thanks Chris


Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 3

11/02/2009 16:19:11
mbam-log-2009-02-11 (16-19-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 211878
Time elapsed: 2 hour(s), 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 11 February 2009 - 11:46 AM

Would you link to the exact thread you are referencing? Each of these infections reacts differently on different computers and their configuration, to make it even more complexe the malware writers are constantly updating their work to defeat disinfection.

Unfortunately any warnings about rootkits and backdoor trojans would apply in this case
Chewy

No. Try not. Do... or do not. There is no try.

#4 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 11 February 2009 - 01:42 PM

Hi Da Chew, Thanks for replying, the post is in security Am I infected? What do I do? Win32.TDSS.rtk?, Please help me fix my wifes computer posted by mds240 Dec 27 2008 09: 28 PM..........didn't realize topics get buried so quickly. Thanks Chris

This is the url to the post http://www.bleepingcomputer.com/forums/t/189751/win32tdssrtk/

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 11 February 2009 - 01:56 PM

What other security programs do you have installed? Are there any other logs that might give me a clue, your MBAM log just shows a partial infection
Chewy

No. Try not. Do... or do not. There is no try.

#6 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 04:21 AM

Hi Da Chew, I have AVG Anti Virus free which is completely up to date running all the time plus the AVG browser add on. I also have Spy Bot Search and Destroy running and up to date which I run checks on. I also have the Ad-Aware program which I use to scan my computer but its not running all the time, and I know there could be a possible clash with the Spy Bot Search and Destroy.
I also use Steganos Internet Trace Destructer 7 to erase passwords and browser history pretty much every week.

The only real symptons of infection I have had is Spy Bot Search and Destroy flagging the two Win32.TDSS.rtk Trojans but not removing them plus sometimes a browser related cookie. I also noticed this week the browser IE7 going un responsive for long periods.
Hope this helps, thanks for your time.
Chris

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 12 February 2009 - 05:14 AM

Ok, let's try the ATFCleaner and SAS from safe mode next, be sure and update SAS before running it

I have AVG Anti Virus free which is completely up to date running all the time


This may have kept a lot of the infection out?

Edited by DaChew, 12 February 2009 - 05:16 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 08:21 AM

Well Da Chew, Sorry for the delay..........I started in safe mode ok, I ran ATF and ticked all file boxes for windows XP to delete, then I tried to open SAS and got the message "the system admin has set policies to prevent this installation".........after that I closed down the comp to get back to you and the thing would't start at all, it would get so far then cycle round. I turned it off for a bit fearing the worse (a trip to the repair shop and a fresh install) and now it is back on.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 12 February 2009 - 08:24 AM

Have you tried a scan with AVG from safe mode? I would be very careful with what I allowed avg to fix or delete tho. We are seeing some real bad infections lately.
Chewy

No. Try not. Do... or do not. There is no try.

#10 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 09:02 AM

The only program I ran in safe mode was the ATF! when I opened in safe mode none of my browsers worked, so I had to exit and re-boot just to post a reply. If I run AVG in safe mode I would need someone to see what it turns up before deleting, I suppose I can run it to see what it finds and cancell it ! copy to a text file save to my desk top re boot then get back to you.
I have just run spybot in normal mode and the win32.TDSS.rtk is still being flagged, boy this is a pain. Maybe I should just bite the bullet and take it to the comp shop.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 12 February 2009 - 09:45 AM

Have you backed up your important data?
Chewy

No. Try not. Do... or do not. There is no try.

#12 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 09:55 AM

I don't have a seperate storage hard drive nor any CD's or USB pens to use, is this where I should back things up to? I will need to sort this out before next step so please bear with me. Thanks

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 12 February 2009 - 10:04 AM

is this where I should back things up to?


Yes something off the hard drive

In this case it means having another copy of important data so if your computer has to be reloaded then you don't lose everything

I have a second hard drive I keep stuff on, if the main one fails or is badly infected I can reload, some data/installers I am burning to cd/dvd to protect it.
Chewy

No. Try not. Do... or do not. There is no try.

#14 spikey_hedgehog

spikey_hedgehog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 11:10 AM

Ok Thanks, will have to get in to PC world or Argos and buy cheap one....................will post back when I'm set up,thanks.

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:27 AM

Posted 12 February 2009 - 02:59 PM

I am not normally this cautious but we have seen quite a few infections lately that when using normal antimalware general use scanners that won't boot.

If you have a windows disk you can try and run a repair or boot from a linux cd or antivirus cd and attempt to copy system files back over to repair the boot.
Many times the system is still so infected a clean install is the most practical approach.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users