Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan tdss and comboFix [Moved]


  • This topic is locked This topic is locked
9 replies to this topic

#1 LittleMatchGirl

LittleMatchGirl

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:49 PM

Posted 30 June 2009 - 12:43 PM

Ok, well I have 2 issues. One, I had a trojan on my computer I couldn't get rid of. Trojan tdss. 2, I used Combofix without a real helper. I know what I did was really stupid, listening to a friend but I was pretty desperate at the time, and I didn't want any kind of virus on my computer. (who does really?)

It all started last week. I noticed, that something was wrong with my computer when I clicked on links in google firefox and firefox kept redirecting me to wrong links. My computer was also getting slower. I did a Malware scan, and discovered that I have a trojan. Trojan Tdss to be specific. Every time I tried to remove it, and rebooted my system, it would show up again (I would do a quick scan after rebooting system to see if it's been deleted.) I ran my AVG, but it couldn't detect the virus. I installed Spybot and Adaware on my computer, they both tried to remove the virus, but it kept coming back.

A friend of mine suggested I use Combofix, I not being computer saavy downloaded the program and I used it. Before using it, I was told to disable my malware, my ad-aware and my spybot, and my AVG 8.5. My friend told me that I could disable my AVG by clicking on the resident shield and disabling it, since I don't use Norton Antivirus. Clicked on resident shield and disabled it for AVG, I just removed programs malware, ad-aware and my spybot because I didn't want to take any chances. I turned off my firewall and after all's said and done ran the program. It asked me if I wanted to install the windows recovery console, I said yes. Combofix downloaded WRC and installed it. It started it's scan, and not even 5 mins into it, it said I had to write some stuff down because I might need it later.

C:\WINDOWS\system32\drivers\SKYNETvhpwordisys
C:\WINDOWS\system32\\SKYNETcntdkejs.dll
C:\WINDOWS\system32\\SKYNETxkxpulhav.dat
C:\WINDOWS\system32\\SKYNETqlewirbp.dll
C:\WINDOWS\system32\\SKYNETklgcomhc.dat

The computer had to be restarted. (My computer has to be manually turned on and off in order to reboot/restart.) Then it started scanning. My friend said that it would probably take a while to finish scanning, so we went out for 30 mins we came back and my computer was turned off. (I have an "old computer" by today's standards of 5 years old.) I assumed it had to be rebooted again? So I turned it on again so that it could restart and finish it's final stages of scanning. So finally it's done scanning and it said that I could find the log(?) at C:\combofix.txt.

I noticed that my background picture is kinda screwy, I can only assume that I missed something? Or is that normal? I haven't run any programs yet, but I'm going to redownload mbam, and adaware.

I did a search for random things like "Pixar" to see if I still got redirected to the wrong places (like real estate or some ad) so far everything seems to work properly. My computer is still slow tho.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:49 PM

Posted 30 June 2009 - 08:56 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:49 PM

Posted 01 July 2009 - 06:58 PM

Welcome to BC


Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 LittleMatchGirl

LittleMatchGirl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:49 PM

Posted 02 July 2009 - 01:09 PM

Thank you for welcoming me! Thanks for the help, I've been such an idiot so far. I know what I did wrong. I didn't hit the report button before scanning that's why it didn't give me the option to pick what I wanted to get scanned. I have the report for you now if you want to check it out.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 17:00
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB69CE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE5A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB46F5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RECYCLER\NPROTECT\00525121.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048350. Godhead
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525100.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525132.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048346. Chester
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00092366.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048348. Marilyn
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00571406.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048354. Earshot
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00331620.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525136. Chantal
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\Demo ReeL\00092366.
Status: Locked to the Windows API!

Path: c:\documents and settings\true\local settings\temp\etilqs_gztdngg6hvyysgqol5f1
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\True\Desktop\My Music\Chantal Kreviazuk - Colour Moving and Still\00525136. Chantal
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Colin Hay - Going Somewhere\00525100.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Goldfrapp-Felt Mountain(Darkside_RG)\00525121.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Minna Daisuki Katamari Damacy Original Soundtrack\00525132.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048346. Chester
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048348. Marilyn
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048350. Godhead
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048354. Earshot
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\My Documents\My Music\iTunes\iTunes Music\Def Leppard\Vault_ Def Leppard's Greatest Hits\00571406.
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

==EOF==

Edited by LittleMatchGirl, 02 July 2009 - 04:09 PM.


#5 LittleMatchGirl

LittleMatchGirl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:49 PM

Posted 02 July 2009 - 01:12 PM

Ok It's official I'm an idiot. I didn't hit the report button before I began the scan, that's where I went wrong. Sorry for that confusion.

Edited by LittleMatchGirl, 02 July 2009 - 04:05 PM.


#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:49 PM

Posted 02 July 2009 - 06:50 PM

Why don't you try it again just to be sure
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 LittleMatchGirl

LittleMatchGirl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:49 PM

Posted 02 July 2009 - 10:01 PM

I did it again, like you asked, and this is what came up.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 22:53
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB69CE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE5A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB418C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RECYCLER\NPROTECT\00525121.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048350. Godhead
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525100.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525132.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048346. Chester
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00092366.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048348. Marilyn
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00571406.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00048354. Earshot
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00331620.
Status: Locked to the Windows API!

Path: C:\RECYCLER\NPROTECT\00525136. Chantal
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\Demo ReeL\00092366.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Chantal Kreviazuk - Colour Moving and Still\00525136. Chantal
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Colin Hay - Going Somewhere\00525100.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Goldfrapp-Felt Mountain(Darkside_RG)\00525121.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Minna Daisuki Katamari Damacy Original Soundtrack\00525132.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048346. Chester
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048348. Marilyn
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048350. Godhead
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\Desktop\My Music\Queen Of The Damned OST\00048354. Earshot
Status: Locked to the Windows API!

Path: C:\Documents and Settings\True\My Documents\My Music\iTunes\iTunes Music\Def Leppard\Vault_ Def Leppard's Greatest Hits\00571406.
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

==EOF==

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:49 PM

Posted 03 July 2009 - 04:47 PM

Sorry to make you do that extra scan, but I wanted to make sure
Unfortunately, The news is not good. You have a pretty nasty infection



Two options left-Post a HJT log or re-install

If you want to give removal of the infection a try, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

====================================

Option 2
Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

In case you need help with this, please review:These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr) or autorun (.ini) files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it.

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 LittleMatchGirl

LittleMatchGirl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:49 PM

Posted 03 July 2009 - 08:59 PM

Thanks for your help! I'll try to post this in Hijack first before reformatting my computer! Thanks for your help I appreciate! Do you know what the virus is? Is it still Trojan Tdss? I ran combofix, I thought that would get rid of it, but I guess not.

Edited by LittleMatchGirl, 03 July 2009 - 09:10 PM.


#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:49 PM

Posted 03 July 2009 - 10:37 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/238677/infected-with-trojan-tdss/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users