Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bck/Tdss.BC


  • Please log in to reply
11 replies to this topic

#1 Sonni2774

Sonni2774

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 01 June 2009 - 07:29 PM

Hi, I just ran an online scan (Panda ActiveScan 2.0) and have been informed that my computer has 1 medium danger level threat and 11 low danger level threats. The medium level threat is Bck/Tdss.BC
(globalroot\systemroot\system32\UACrboamyrsscjxoyp.dll) and the others are tracking cookies. Am just wondering why my Malwarebytes' Anti-Malware didn't remove these? And also how I can fix this? Please note that I am a very new computer user and will need lots of guidance! :D lol
Thanks
Sonja

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 01 June 2009 - 08:56 PM

Hello Please post your MBam log for review..
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 01 June 2009 - 09:29 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2033
Windows 5.1.2600 Service Pack 3

2/06/2009 5:15:48 PM
mbam-log-2009-06-02 (17-15-48).txt

Scan type: Quick Scan
Objects scanned: 81729
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


This is the one that I did just a minute ago ... I rebooted my computer and it froze. I had to switch off at the wall in order for it to run again.

Edited by Sonni2774, 02 June 2009 - 02:55 AM.


#4 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 01 June 2009 - 09:54 PM

Hello, have downloaded both ATF Cleaner and SUPERAntiSpyware Free Edition but when I go to open SUPER my computer won't allow me to do so. It keeps saying that it has encountered a problem and needs to close. What can I do now? Thanks for your time and patience with me :thumbsup:

Have managed to install SUPER, renamed it when saving onto desktop, but it now won't allow me to open it to update.

Edited by Sonni2774, 02 June 2009 - 04:41 AM.


#5 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 02 June 2009 - 06:51 AM

Hi, I managed to do the ATF clean and the SUPER after I renamed the spyware and this is the scan log. Is there anything else that I need to do? Thanks,
Sonja


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/02/2009 at 09:10 PM

Application Version : 4.26.1004

Core Rules Database Version : 3919
Trace Rules Database Version: 1863

Scan type : Complete Scan
Total Scan Time : 00:26:09

Memory items scanned : 212
Memory threats detected : 1
Registry items scanned : 4034
Registry threats detected : 68
File items scanned : 11603
File threats detected : 1

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACRBOAMYRSSCJXOYP.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACRBOAMYRSSCJXOYP.DLL

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#fe8cd514
HKLM\SOFTWARE\UAC\connections#20d04c0a
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#a3d50932
HKLM\SOFTWARE\UAC\mask#f5d692d5
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 02 June 2009 - 10:13 AM

All rootkits... May not be cureable.. Lets see what else.

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 02 June 2009 - 07:44 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/03 10:09
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAC40000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B4C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9A4D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xA9F69000 Size: 12256 File Visible: No Signed: -
Status: -

Name: UACdqqfaaxwmkdviba.sys
Image Path: C:\WINDOWS\system32\drivers\UACdqqfaaxwmkdviba.sys
Address: 0xAAEC4000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: sfcfiles.dll]
Process: winlogon.exe (PID: 644) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: mssfc.dll]
Process: winlogon.exe (PID: 644) Address: 0x66700000 Size: 1622016

Object: Hidden Module [Name: UACbrmtwkmuwgtphhb.dll]
Process: svchost.exe (PID: 1044) Address: 0x02970000 Size: 49152

Object: Hidden Module [Name: UACpkbnepbudsflxvk.dll]
Process: svchost.exe (PID: 1044) Address: 0x00e20000 Size: 53248

Object: Hidden Module [Name: UACgwinpmgawbtafvi.dll]
Process: svchost.exe (PID: 1044) Address: 0x028d0000 Size: 45056

Object: Hidden Module [Name: UAC5fd4.tmpkbwdbqpqbox.dll]
Process: svchost.exe (PID: 1044) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: UACbrmtwkmuwgtphhb.dll]
Process: RootRepeal.exe (PID: 3456) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACgwinpmgawbtafvi.dll]
Process: RootRepeal.exe (PID: 3456) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACbrmtwkmuwgtphhb.dll]
Process: IEXPLORE.EXE (PID: 4380) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACgwinpmgawbtafvi.dll]
Process: IEXPLORE.EXE (PID: 4380) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACdqqfaaxwmkdviba.sys

==EOF==



If this proves to be not curable what will I have to do to have my computer back running well again? Thanks again for your time in helping me with this.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 02 June 2009 - 11:43 PM

Hi Sonja you have serious rootkit damage..

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


You can go thru our HiJackThis process and see if they can clean or you can remove it by
Reformatting

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


Knowing the above, let us know if you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 03 June 2009 - 10:13 AM

Hi, thanks for the bad news .... lol
Have reformatted and have begun again. What steps should I take to keep safe this time?
Cheers, Sonja

Edited by Sonni2774, 03 June 2009 - 10:14 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 03 June 2009 - 10:29 AM

Hi You're most welcome. yeah sorry about that. It's not my favorite thing to post either. Keep an updated Windows,A/V and spyware program. Scan at least weekly. Here are some others already written...
Please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:

Edited by boopme, 03 June 2009 - 10:30 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Sonni2774

Sonni2774
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:01:34 PM

Posted 04 June 2009 - 03:51 AM

Hi to BOOPME,
Thanks heaps for all your help, it was much appreciated. Have got things up and running again and all seems to be good. I will keep all read tips in mind in the future!!! Thanks again, and here's hoping all remains safe and "crap" free!! lol
Sonja

Edited by Sonni2774, 04 June 2009 - 03:52 AM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:04 PM

Posted 04 June 2009 - 12:05 PM

Good job Sonja .. glad your clear and glad to have helped :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users