Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several items show up in Avira


  • This topic is locked This topic is locked
9 replies to this topic

#1 mikedj72

mikedj72

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 July 2009 - 09:33 AM

I did not see a place to post logs from Avira. I'm posting what was found, and what Avira said it done. I'm guessing these will still stick around after I reboot and I'm looking for direction to threads that might help. As a Vista 32 Bit user, I've searched that forum and did not find anything particular for these infections. I've ran a HijackThis and most of this doesn't show up, so I've not posted a log in that particular section. My biggest problem I see daily is the fact that every search engine search shows me the links I want, I click and end up on some goofball website close to my search topic, I then have to hit the back button so I can hit the link a 2nd time before finally arriving at the proper website.

Thanks for any support or direction.


ITEMS FOUND:
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Uninstall.exe
[DETECTION] Is the TR/TDss.aips Trojan
C:\Program Files\Procomm Plus\Aspect\faxmerge\PWWORD97.DOT
[DETECTION] Contains HEUR/Macro.Word97 suspicious code
C:\Users\Mike\AppData\Local\Temp\.exe
[DETECTION] Is the TR/PCK.Tdss.W.4 Trojan
C:\Users\Mike\AppData\Local\Temp\tmp8F79.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Users\Mike\AppData\Local\Temp\tmp8F7A.tmp
[DETECTION] Is the TR/Alureon.BP.15 Trojan
C:\Windows\Temp\533068021.tmp
[DETECTION] Is the TR/Spy.Router.A Trojan
C:\Windows\Temp\533068130.tmp
[DETECTION] Is the TR/Spy.122368.2 Trojan

WHAT AVIRA DID:
eginning disinfection:
C:\Program Files\Uninstall.exe
[DETECTION] Is the TR/TDss.aips Trojan
[NOTE] The file was moved to '4abc5a3e.qua'!
C:\Program Files\Procomm Plus\Aspect\faxmerge\PWWORD97.DOT
[DETECTION] Contains HEUR/Macro.Word97 suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4aaa5a27.qua'!
C:\Users\Mike\AppData\Local\Temp\.exe
[DETECTION] Is the TR/PCK.Tdss.W.4 Trojan
[NOTE] The file was moved to '4ab859fe.qua'!
C:\Users\Mike\AppData\Local\Temp\tmp8F79.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4ac35a3d.qua'!
C:\Users\Mike\AppData\Local\Temp\tmp8F7A.tmp
[DETECTION] Is the TR/Alureon.BP.15 Trojan
[NOTE] The file was moved to '4c935f66.qua'!
C:\Windows\Temp\533068021.tmp
[DETECTION] Is the TR/Spy.Router.A Trojan
[NOTE] The file was moved to '4a865a04.qua'!
C:\Windows\Temp\533068130.tmp
[DETECTION] Is the TR/Spy.122368.2 Trojan
[NOTE] The file was moved to '4cde22ed.qua'!

BC AdBot (Login to Remove)

 


m

#2 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 July 2009 - 09:41 AM

Forgot to add...

I did a lot of research first and often ran across fixes for the individual infections that suggested programs like Malwarebyte's program, etc. Those programs are being blocked by one of the infections, not sure through Java or what.

Malwarebytes will not run.
Spybot will not run.
TrendMicro online virus scan would start, but it said the java plugin did not install properly, and it always did before these recent infections.

It seems like any security type program will not start, no other problems on the computer or softwares, just malware removal programs.

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:55 AM

Posted 07 July 2009 - 09:57 AM

You have a TDSS infection. This is a pretty nasty rootkit.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

If you wish to continue,

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 July 2009 - 10:27 AM

Step 1 = Problem 1

I download the zip of RootRepeal, extract file for install and get RootRepeal Error window popup. (Attempt to read from address: 0x01777000) Followed by another, different address. Then finally I get the "RootRepeal has stopped working error from Windows that I get with Malwarbytes/Spybot/etc.

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:55 AM

Posted 07 July 2009 - 10:33 AM

Let's try this...

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 July 2009 - 10:53 AM

Thanks for helping Rigel!

SmitFraudFix v2.423

Scan done at 11:49:35.71, Tue 07/07/2009
Run from C:\Users\Mike\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SAMSUNG\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Mike


C:\Users\Mike\AppData\Local\Temp


C:\Users\Mike\Application Data


Start Menu


C:\Users\Mike\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Intel® 82566DC-2 Gigabit Network Connection
DNS Server Search Order: 128.127.2.251

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C394254C-A9E6-4C77-959E-D8CFC673E0BA}: DhcpNameServer=128.127.2.251
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C394254C-A9E6-4C77-959E-D8CFC673E0BA}: DhcpNameServer=128.127.2.251
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C394254C-A9E6-4C77-959E-D8CFC673E0BA}: DhcpNameServer=128.127.2.251
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=128.127.2.251
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=128.127.2.251
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=128.127.2.251


Scanning for wininet.dll infection


End

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:55 AM

Posted 07 July 2009 - 03:03 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 07 July 2009 - 03:39 PM

Safe mode is locking up when it gets to crcdisk.sys

I've tried several times. I'm not sure if it's related to this virus that started today or all these removal programs I've installed after reading this website, but my clock has also changed to military time. It's reading 16:38 here, never saw that before. Sounds like I may have one well programed virus.

#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:55 AM

Posted 07 July 2009 - 08:23 PM

A very bad one. Since this is TDSS and our tools are stumbling, lets move to the HJT forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,693 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:55 AM

Posted 09 July 2009 - 09:47 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/240150/log-tdssaips-cryptxpack-spyrouter-and-alureon/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users