Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.tdss


  • This topic is locked This topic is locked
6 replies to this topic

#1 icekoldkilla94

icekoldkilla94

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 16 August 2009 - 05:03 PM

I was infected with a rootkit about a week ago and was informed by Spyware Doctor. A message popped up saying that a high threat was blocked called Rootkit.tdss. I'm sorry if I'm not too detailed about this part. Ever since i received this rookit, i haven't gone on the computer because i was a little scared. But now i decided to do something about it and this seems like the best place to get help. Right before I posted this, my computer was infected with Windows Antivirus Pro but I successfully removed it with Malwarebytes' Anti-Malware. After I rebooted my computer, Spyware Doctor popped up with the message to block rootkit. If you can tell me what programs to run so you can look at the logs, that would be great. I just want to know if rootkit installed a backdoor on my computer. Thank you. Also, a few months ago, way before getting this rootkit, I kept getting and still am, a message that says "The application or DLL C:\Windows\system32\yugovuji.dll is not a valid Windows image. Please check this against your installation diskette." If could get help fixing this too, I would greatly appreciate it.

I also have some questions about my infection. Has there been any times when a rootkit has not installed a backdoor on a computer? And if there is no backdoor, can the rootkit be removed 100%? Can a system restore remove a rootkit? Please help and thanks a lot.



DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 17:37:58.93 on Sun 08/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.103 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {fba5f184-9e43-4632-82da-4cf070e37bab} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://inform.bankofny.com/mfsaccess/controls/sglw2hcm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: khfffEtT - khfffEtT.dll
Notify: urqNFuuv - urqNFuuv.dll
Notify: xxyvvtSk - xxyvvtSk.dll
AppInit_DLLs: jopprg.dll isuoos.dll apeuug.dll c:\windows\system32\tepimave.dll ogfgst.dll c:\windows\system32\rujezare.dll c:\windows\system32\yasabetu.dll ctuakq.dll c:\windows\system32\fakuriyo.dll,c:\windows\system32\yugovuji.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtUKcYo
LSA: Notification Packages = scecli c:\windows\system32\tepimave.dll c:\windows\system32\rujezare.dll c:\windows\system32\yasabetu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\5or1a3l8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-2 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-2 108552]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-8-8 26640]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-8-8 21392]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-8-11 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-8-8 21648]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-8-8 32528]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-2 298776]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-8-8 144960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-31 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-31 1095560]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-8-8 243216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-7 24652]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-8-11 108368]
RUnknown zufwh;zufwh; [x]

=============== Created Last 30 ================

2009-08-16 17:19 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-16 17:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 17:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-16 17:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-31 20:31 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-31 20:31 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-31 20:31 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-31 20:30 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools

==================== Find3M ====================

2009-07-17 09:43 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 14:57 1,768 a------- c:\windows\EntPack.dat
2009-06-27 21:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 20:16 0 ac-sh--- c:\windows\system32\jitodiyo.dll
2009-02-07 23:32 31,360 a--sh--- c:\windows\system32\oYcKUtwa.ini2
2009-02-03 21:40 37,412 a--sh--- c:\windows\system32\wGMVvyay.ini2
2008-12-15 22:17 893,908 a--sh--- c:\windows\system32\xwDMpqss.ini2
2009-01-16 20:16 0 a--sh--- c:\windows\system32\yugovuji.dll

============= FINISH: 17:43:16.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 PM

Posted 26 August 2009 - 04:51 PM

Hello icekoldkilla94 ,

If you still need help then please do the following

Download and run RootRepeal

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.

Edited by SifuMike, 26 August 2009 - 04:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 icekoldkilla94

icekoldkilla94
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 August 2009 - 10:55 PM

Thanks for responding sifumike. I followed your steps, shutting down my anti-virus, spyware, etc. and disconnecting from the internet. When I ran RootRepeal, no box came up as you have said. Instead, when I open it, the different categories are in separate tabs with a save report option in every tab. Also, a ".dat" opens up but I don't know what program to open that up with. By default, it opens up with Nero Showtime on my computer, which obviously doesn't work. Even before I did any of this, a message from Spyware Doctor came up asking me to block Antivirus Pro. I had already removed that from my computer previously with Malwarebytes' Anti-Malware. Normally, Antivirus Pro doesn't allow you to open anything but after I used MBAM, it allowed me to. I really appreciate you for taking your time to respond to my message but I think I will just reformat my computer.

I do have some questions though. Where do rootkits typically install in your computer? Do they install in just the system32 folder or do they infect other files or programs? I'm asking because I want to know if I reformat my computer and backup some files, will the rootkit still be there? For example, can the rootkit infect a ".doc" file or corrupt a whole program such as Microsoft Word 2007 or any other program with its corresponding files? Also, if I backup files while the rootkit is in my computer, will the rootkit be there after I reformat it? This is pertaining to my previous questions. If you can answer my questions, i would be grateful. Thank you for your time.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 PM

Posted 27 August 2009 - 11:43 AM

but I think I will just reformat my computer


Good choice. Sometimes a reformat and reload is the best choice.


Where do rootkits typically install in your computer?


Can be anywhere.
Sometimes in root drive, sometimes in drivers, sometime in an Alternate Data Stream on the %windir%\system32 directory..
Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
Even though the rootkit can be identified and removed, your PC may have been compromised and there is no way to be sure the computer can ever be trusted again.

Please read:
"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Backup all your documents and important items (personal data, work documents, pictures etc..) only.
DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm).

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them.

Do they install in just the system32 folder or do they infect other files or programs?


no, they can be elsewhere and yes they can infect other files.

Also, if I backup files while the rootkit is in my computer, will the rootkit be there after I reformat it?


Depends what files you back up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 icekoldkilla94

icekoldkilla94
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 27 August 2009 - 12:12 PM

Thank you for your time sifumike. I understand that here BC, it gets pretty busy. Thanks again.

Edited by icekoldkilla94, 27 August 2009 - 12:13 PM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 PM

Posted 27 August 2009 - 12:48 PM

Your very welcome. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 PM

Posted 10 September 2009 - 06:44 PM

Since your problem appears to be resolved, this thread will now be closed.

Edited by SifuMike, 10 September 2009 - 06:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users