Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Win32TrojanTDSS


  • Please log in to reply
7 replies to this topic

#1 wayne82

wayne82

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 11 July 2009 - 11:02 PM

Ok so i tried the method described here http://www.bleepingcomputer.com/forums/t/235192/cannot-get-rid-of-win32trojantdss/ and the trojan is still on my PC it said it needed to reboot to get rid of it so i did but its still finds these on my pc here is a log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2009 at 10:53 PM

Application Version : 4.26.1006

Core Rules Database Version : 3988
Trace Rules Database Version: 1928

Scan type : Quick Scan
Total Scan Time : 00:10:12

Memory items scanned : 426
Memory threats detected : 0
Registry items scanned : 389
Registry threats detected : 79
File items scanned : 11996
File threats detected : 2

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#rem_ok
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\connections#20d04c0a
HKLM\SOFTWARE\UAC\connections#fe8cd514
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#49772768
HKLM\SOFTWARE\UAC\mask#d3036adf
HKLM\SOFTWARE\UAC\mask#a3d50932
HKLM\SOFTWARE\UAC\mask#f5d692d5
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\mask#1ed943f0
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Rootkit.Agent/Gen-UAC
C:\WINDOWS\SYSTEM32\UACBWULPVXVMTVSIEQIR.DAT
C:\WINDOWS\SYSTEM32\UACHXDKPBAVHOWFVMEPR.LOG


ill post a full scan log after it finishes, im not a big pc person so any help would be great since i got pretty much no clue as to what to do lol

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 12 July 2009 - 12:39 AM

Hello wayne82
Welcome to Bleeping Computer.
you seem to have a really nasty infection on your system.
Please try this http://www.malwarebytes.org/mbam.php and post the log from it
do a quick scan first please and post the results for further analysis
Thank You

D_N_M

#3 wayne82

wayne82
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 July 2009 - 01:30 AM

here it is

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/12/2009 1:29:02 AM
mbam-log-2009-07-12 (01-28-55).txt

Scan type: Quick Scan
Objects scanned: 95169
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install.exe (Trojan.Agent) -> No action taken.



i would just reformat and install xp again but i dont have the disc's anymore :thumbsup:

#4 wayne82

wayne82
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 July 2009 - 01:31 AM

this is the log after removing the infections

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/12/2009 1:30:42 AM
mbam-log-2009-07-12 (01-30-42).txt

Scan type: Quick Scan
Objects scanned: 95169
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#5 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 12 July 2009 - 09:30 AM

Hello wayne82

Please re-run Malwarebytes in full scan and post the results.
Thank you

D_N_M

#6 wayne82

wayne82
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 July 2009 - 12:44 PM

ok so i ran malwarebytes superantispy and avast in safe mode and i think i got it they all come up with nothing

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/12/2009 2:11:52 AM
mbam-log-2009-07-12 (02-11-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140794
Time elapsed: 30 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


either avast or malwarebytes got it or it will be popping up later but for the moment system seems to be clean ty for the help

also the link for malwarebytes download was the only one i have gotten to work ty

#7 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 12 July 2009 - 12:58 PM

Hello wayne82
Your logs come back clean that is excellent :thumbsup:
I'm glad it worked out for you.
if you are having no more problems with your PC and it is running fine then maybe a Moderator can close this topic.
or they may want some additional info to be sure you are clean.

D_N_M

#8 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:13 PM

Posted 13 July 2009 - 05:05 AM

That rootkit infection has me a little concerned as to whether or not the system is really clean and trustworthy even if SuperAntiSpyware and Malwarebytes seem to have cleaned it up.

I would wait and see if someone from the staff chimes in with an opinion on that one.

Until they do, I would not use this system for online banking or any transaction requiring cc number.

I would also run another scan with SuperAntiSpyware (after updating it) since it was the one that originally picked up the rootkit. This time I would run a full scan with it and then post the full log of it here.

Edited by Stang777, 13 July 2009 - 05:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users