Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with backdoor trojan Win32.Trojan.TDSS


  • This topic is locked This topic is locked
21 replies to this topic

#1 Buterf1y78

Buterf1y78

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 08:04 AM

I have never tried this before and any help would be much appreciated. Last Friday (7/10/09) my computer was infected with the System Security Virus after my husband clicked on a picture in craigslist. Desktop went to blue screen with "warning you computer is infected..." after a few minutes the computer was useless. My brother who has some computer knowledge did his best and cleared out most of the infection. Now although and I am able to use the computer the backdoor trojan Win32.Trojan.TDSS is definitely still there. On occasion I get a warning from ad-aware that says malware is found. I have run both ad-aware and malwarebytes repeatedly and it just cannot clear out this virus. We have located the *.bmp files that were the warning screens and deleted those also. Both ad-aware and malwarebytes can locate the files but cannot remove them even after a reboot. Monday (7/13) after a long day of working on it we thought the system was clean but at approximately 1 am my computer speakers started playing Michael Jackson songs. Couldn't find on the computer where it was coming from and a after two songs it ended. So I scanned with ad-aware and it found the same virus again. Malwarebytes has found UACinit.dll. I am pretty sure this is a nasty backdoor trojan and a rootkit virus that is totally screwing up my system. It is functional at the moment and we have already gone on different computers to change all sensitive information and haven't accessed it from this computer since the virus hit. I am not sure all the things my brother has done to fix it but I believe at one point he may have run a combofix but again not totally sure. Like I said anyhelp would be great. Just let me know what to do and I will try to do it. Thank you so much.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 15 July 2009 - 12:01 PM

Hello about the TDDS..
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



To clean please post your MBAM (Malwarebytes) log
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 04:32 PM

Here is my MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/15/2009 11:33:27 AM
mbam-log-2009-07-15 (11-33-27).txt

Scan type: Quick Scan
Objects scanned: 101120
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACiqxayrbxmwwkbkajm.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACiqxayrbxmwwkbkajm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



Now I will do the rest and post it in asap. Thank you so much for your help.

#4 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 04:38 PM

Ok downloaded both and saved to desktop but when I click on super an error message comes back that says "SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience." Goes on to say something about telling Microsoft about this problem but I just clicked "Don't Send" I have tried to open 3 time and the same message comes up each time and I click the same button. What do I do now? Thanks again.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 15 July 2009 - 07:48 PM

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 08:37 PM

Ok downloaded rootrepeal from your link but couldn't open it so downloaded the 7 zip tool. Unzipped it, double clicked on it and immediately the computer restarted. I thought maybe I did something wrong so when I got back to the desktop I tried again and the exact same thing happened. Not sure what is up. Please help, thanks again!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 15 July 2009 - 08:53 PM

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 09:08 PM

Ok after the second restart I mentioned earlier. Ad Aware had started a background scan (sorry I hadn't noticed that) it found 3 malware but I haven't done anything with it just left it at the scan screen. I did open MBAM and clicked update it said it downloaded the newest version and it would close and install but when I press the ok button it just closes MBAM and does nothing. I am not sure what to do everything I have tried does not work. Is that normal for this virus? What should I do next? Do I just leave ad-aware open or ask it to clean out the virus (which it will but it will come right back in a short while)? Thanks for the help sorry I am such a pain.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 15 July 2009 - 09:24 PM

It's OK this is what they are starting to write for malware ,Shuts everthing down.. So can you reopen MABAM and click update .. see if it says Version 1.39.. if so ru a quick scan.

EDIT: Maybe we can slip this one by..
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 15 July 2009 - 09:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 09:49 PM

I tried downloading Version 1.39 (even tried renaming it) but although it would download I still couldn't get it to run on my system. My working version is 1.38. I will go on to the next step you mentioned. I am printing the instructions now. Thanks again.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 15 July 2009 - 10:03 PM

Oh I may havae it here.. Thanks to Fatdcuk at MBAM.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan allow MBAM to remove what it had found then reboot.

Goodbye SystemSecurity
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 July 2009 - 11:51 PM

I had some trouble with the SDFix you asked me to run but ultimately got it done. Here is that log:


SDFix: Version 1.240
Run by Owner on Wed 07/15/2009 at 11:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

AUTOEXEC.NT Restored from backups

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 00:42:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Owner\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe:*:Enabled:SpamSubtract Main Module"
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"="C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe:*:Disabled:BackWeb-1940576"
"C:\\Program Files\\AdSubtract\\adsub.exe"="C:\\Program Files\\AdSubtract\\adsub.exe:*:Enabled:AdSubtract PRO"
"E:\\nfs3.exe"="E:\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Documents and Settings\\All Users\\Documents\\My Music\\Piolet\\Piolet.exe"="C:\\Documents and Settings\\All Users\\Documents\\My Music\\Piolet\\Piolet.exe:*:Enabled:Piolet servent main executable"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\winks\\Birthday Cat\\install.exe"="C:\\winks\\Birthday Cat\\install.exe:*:Enabled:install"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1141612327\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1141612327\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1141612327\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1141612327\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe"="C:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe:*:Enabled:Skyworks Ten Pin Championship Bowling"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sat 21 Aug 2004 196 A.SHR --- "C:\BOOT.BAK"
Sun 27 Aug 2006 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\SpyRobot\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\SpyRobot\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\SpyRobot\TeaTimer.exe"
Sun 9 Oct 2005 342,006 A.SH. --- "C:\WINDOWS\system32\ehhkj.tmp"
Fri 14 Oct 2005 349,397 A.SH. --- "C:\WINDOWS\system32\ehhkj.bak1"
Sat 15 Oct 2005 353,696 A.SH. --- "C:\WINDOWS\system32\ehhkj.bak2"
Tue 5 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 5 Jul 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 1 May 2007 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 30 Nov 2006 4,958 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-R_RW_SW-252S__R903_310_DICV018_DRGV2050108.TMP"

Finished!

I will do the MBAM right now and post asap. Thanks again!

Edit: Sorry I forgot to mention that when I rebooted to send this info to you I got two Windows error messages. The first was for ViewMgr and it was a typical "encountered an error and needed to close" message. Then next seemed more sinister it was for Microsoft Windows and said that "the system has RECOVERED FROM a serious error. A log of this error has been created." I was able to close out of it in order to post this log. Just thought I should tell ya about it. Seems to be running though and Ad-aware hasn't picked up on anything yet.

Edited by Buterf1y78, 16 July 2009 - 12:16 AM.


#13 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 16 July 2009 - 12:22 AM

Ok so unfortunately MBAM found 2 issues and immediately upon restart my Ad-Aware Ad Watch live detected some malware and immediately started to scan so I will post both logs here.
First MBAM right after the previous message:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/16/2009 1:20:57 AM
mbam-log-2009-07-16 (01-20-57).txt

Scan type: Quick Scan
Objects scanned: 97935
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



~~~~~~~
~~~~~~~
~~~~~~~

This is the Ad-Aware log from the scan that started on reboot for MBAM:

Logfile created: 7/16/2009 1:23:53
Lavasoft Ad-Aware version: 8.0.7
Extended engine version: 8.1
User performing scan: Owner

*********************** Definitions database information ***********************
Lavasoft definition file: 149.0
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 26087
Objects detected: 11


Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 2
Folders.........: 0
LSPs............: 0
Cookies.........: 8
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0
Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: \\?\globalroot\systemroot\system32\uaciqxayrbxmwwkbkajm.dll Family Name: Win32.Trojan.TDSS Clean status: Reboot required Item ID: 942777 Family ID: 5401
Description: C:\WINDOWS\system32\UACfegfiuoilebtdikrl.dll Family Name: Win32.Trojan.TDSS Clean status: Reboot required Item ID: 888515 Family ID: 5401
Description: C:\WINDOWS\system32\UACiqxayrbxmwwkbkajm.dll Family Name: Win32.Trojan.TDSS Clean status: Reboot required Item ID: 942777 Family ID: 5401

Scan and cleaning complete: Finished correctly after 335 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: scanrootkits, enabled:1, value: true
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Apr 29 21:17:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Apr 29 21:17:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: NELAND
Processor name: AMD Athlon™ XP 2800+
Processor identifier: x86 Family 6 Model 10 Stepping 0
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 2560, number of processors 1
Physical memory available: 568238080 bytes
Physical memory total: 1006092288 bytes
Virtual memory available: 2052382720 bytes
Virtual memory total: 2147352576 bytes
Memory load: 43%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 592 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 696 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 724 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 780 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 796 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1024 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1176 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1300 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1424 name: C:\WINDOWS\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1600 name: C:\WINDOWS\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1704 name: C:\WINDOWS\Explorer.EXE owner: Owner domain: NELAND
PID: 1776 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1852 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 304 name: C:\PROGRA~1\AVG\AVG8\avgtray.exe owner: Owner domain: NELAND
PID: 312 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Owner domain: NELAND
PID: 444 name: C:\WINDOWS\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 480 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 496 name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 520 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 568 name: C:\WINDOWS\system32\drivers\KodakCCS.exe owner: SYSTEM domain: NT AUTHORITY
PID: 704 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1268 name: C:\Program Files\Viewpoint\Common\ViewpointService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1496 name: C:\PROGRA~1\AVG\AVG8\avgrsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1532 name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1980 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1504 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1584 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2560 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2712 name: C:\Program Files\Mozilla Firefox\firefox.exe owner: Owner domain: NELAND
PID: 2968 name: C:\WINDOWS\system32\wuauclt.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3104 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe owner: Owner domain: NELAND

Startup items:
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: AVG8_TRAY
imagepath: C:\PROGRA~1\AVG\AVG8\avgtray.exe
Name: Ad-Watch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk /p \??\C:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: AudioSrv
displayname: Windows Audio
Name: avg8wd
displayname: AVG Free8 WatchDog
Name: Bonjour Service
displayname: Bonjour Service
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: helpsvc
displayname: Help and Support
Name: KodakCCS
displayname: Kodak Camera Connection Software
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: Viewpoint Manager Service
displayname: Viewpoint Manager Service
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration



After checking to remove all a message popped up that said there were no files to send to ThreatWork.
Not sure how to proceed.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,194 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 PM

Posted 16 July 2009 - 08:41 AM

Ok ,much bettter ... Now do the rootrepeal from Post 5.. I think it'll work now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 16 July 2009 - 09:03 AM

Well last night I figured I would try running the ATF and SAS by renaming them and they both worked so here is the log from SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2009 at 04:23 AM

Application Version : 4.26.1006

Core Rules Database Version : 3998
Trace Rules Database Version: 1938

Scan type : Complete Scan
Total Scan Time : 02:29:44

Memory items scanned : 247
Memory threats detected : 0
Registry items scanned : 5883
Registry threats detected : 25
File items scanned : 95668
File threats detected : 4

Adware.Zango Toolbar/Hb
HKLM\Software\Classes\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Control
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Implemented Categories
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\InprocServer32
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\InprocServer32#ThreadingModel
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Instance
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Instance#CLSID
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Instance\InitPropertyBag
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Instance\InitPropertyBag#Url
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\MiscStatus
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\MiscStatus\1
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\ProgID
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Programmable
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\ToolboxBitmap32
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\TypeLib
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\Version
HKCR\CLSID\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}\VersionIndependentProgID
HKCR\HBMain.CommBand.1
HKCR\HBMain.CommBand
HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}
C:\PROGRAM FILES\ZANGO\BIN\10.1.181.0\HOSTIE.DLL
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}
HKU\S-1-5-21-3961964806-1770341357-741458596-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7}

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\EHHKJ.BAK1
C:\WINDOWS\SYSTEM32\EHHKJ.INI
C:\WINDOWS\SYSTEM32\EHHKJ.INI2


Do you still want me to try rootrepeal from post 5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users