Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blahh... Rootkit.TDSS Won't go away...


  • This topic is locked This topic is locked
14 replies to this topic

#1 justbrewit

justbrewit

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 06 September 2009 - 09:11 PM

So My computer froze up while using the internet (firefox) the other day...got a brief blue screen, then it went right to a reboot...

I ran MBAM after the restart, and got the following:

----------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2749
Windows 5.1.2600 Service Pack 2

9/6/2009 8:54:54 PM
mbam-log-2009-09-06 (20-54-54).txt

Scan type: Quick Scan
Objects scanned: 112385
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rotscxnnxnvtst.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxspikbpup.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\rotscxvobbvspf.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\rotscxdivxviyu.sys (Rootkit.TDSS) -> Delete on reboot.


------------------------------


I ran MBAM again 2 or 3 times, and got one rootkit.tdss each time...here is the log from the last one I ran:


-------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2749
Windows 5.1.2600 Service Pack 2

9/6/2009 9:14:45 PM
mbam-log-2009-09-06 (21-14-45).txt

Scan type: Quick Scan
Objects scanned: 112298
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxetqxxylb (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------------------------------

Obviously, I knew something was amiss. Came on here as I got help with fixing another computer a while ago. Seems clear that the next step was to run RootRepeal. So I did, and here was the report:


----------------------------------------------
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/06 21:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7A23000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB396C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: rotscxetqxxylb
Image Path: C:\WINDOWS\system32\drivers\rotscxdivxviyu.sys

==EOF==



-------------------------------------------------------

Hope you guys/gals can work your magic again! Thanks in advance!

Jeff

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 06 September 2009 - 11:55 PM

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 07 September 2009 - 01:39 PM

Thanks for the prompt response. Here is the SAS Log:

----------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/07/2009 at 01:16 PM

Application Version : 4.28.1010

Core Rules Database Version : 4087
Trace Rules Database Version: 2027

Scan type : Complete Scan
Total Scan Time : 05:07:49

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 6711
Registry threats detected : 6
File items scanned : 128632
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\685A5EFF
HKLM\Software\Microsoft\685A5EFF#685a5eff
HKLM\Software\Microsoft\685A5EFF#Version
HKLM\Software\Microsoft\685A5EFF#685af37f
HKLM\Software\Microsoft\685A5EFF#685a9a9a
HKU\S-1-5-21-2435588675-2597056587-938963738-1007\Software\Microsoft\FIAS4018


-----------------------------------------------------------------------------

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 07 September 2009 - 02:04 PM

You're welcome. Let's rerun 2 apps and see what comes back.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Rerun Rootrepeal now. This time under Scan,select only Files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 07 September 2009 - 08:16 PM

You're welcome. Let's rerun 2 apps and see what comes back.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Rerun Rootrepeal now. This time under Scan,select only Files.



OK...This was phrased a bit confusingly...I wasn't sure if you meant do a scan in normal mode or safe mode. At any rate, I did open MBAM and "Check for Updates" in normal mode. Scanned in Normal Mode, then ran it again in Safe Mode just as an extra. Here are the results of those:

---MBAM in Normal Mode:

------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 2

9/7/2009 8:38:13 PM
mbam-log-2009-09-07 (20-38-13).txt

Scan type: Quick Scan
Objects scanned: 110161
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxetqxxylb (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------

---MBAM in Safe Mode:

Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/7/2009 8:51:50 PM
mbam-log-2009-09-07 (20-51-50).txt

Scan type: Quick Scan
Objects scanned: 108282
Time elapsed: 10 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxetqxxylb (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------------------


Then ran RootRepeal as instructed...Results:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 21:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081229.003\EraserUtilDrvI7.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090906.002\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!


-------------------------------------------

Persistent little bugger, it appears... :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 07 September 2009 - 09:27 PM

Ok ,,Yes it is , we need a second opinion.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 08 September 2009 - 12:35 PM

OK, Ran the Sophos Antirootkit...Here is the log. FYI--I have replaced some personally identifiable info in the various file paths with "...\xxx\..."

Nothing came up as "removable: clean up recommended" in the scan, so I stopped before the reboot/rescan steps...should I go and delete the other removable ones as I know the file path?

-------------------------------------------------------------------------------------

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/8/2009 at 12:33:44 PM
User "xxx" on computer "xxxx-4ADDF1049"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Hidden: registry item \HKEY_USERS\S-1-5-21-2208270123-3036528960-2820352140-1007
Hidden: registry item \HKEY_USERS\S-1-5-21-2208270123-3036528960-2820352140-1007_Classes
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866348831_3b59fccce0_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866355007_3dd8bd9554_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866356809_c51e2cb07a_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866359095_fcf6088edd_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866360281_bbf3273342_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2866360683_52a46cb4c1_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867180436_cf2e54dea5_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867181270_34bfa531b2_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867182300_a2f8c6f95b_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867183358_3c16a0093b_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867184458_514eca2c0a_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867186252_181b362674_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867188082_90c89127de_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867189006_06e0842f15_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867189968_b8f8f5fd2a_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867191468_e32af28839_o.jpg
Hidden: file C:\Documents and Settings\xxx\new-set-from-flickr-sept-08---Remote-Practice\__MACOSX\new set from flickr sept 08 - Remote Practice\._2867191856_eb4691ede5_o.jpg
Stopped logging on 9/8/2009 at 13:18:44 PM

---------------------------------------------------------------------

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 08 September 2009 - 02:00 PM

Well I don't see any Kits.. So maybe run one more to see if anything else is hangig out. You look pretty clean.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 16 September 2009 - 09:35 PM

Sorry for the delay in response...got busy with misc. stuff...

For what it's worth, I did a couple things in-between running Sophos and running SAS...figure they are worth mentioning:

1--I got sick of Symantec/NAV (pre-installed on my computer from work) hogging memory/etc.. I uninstalled it and installed Avira. Ran a full scan and here's what the results were:


----------------------------------------------------------------------------------------------


Avira AntiVir Personal
Report file date: Tuesday, September 08, 2009 14:16

Scanning for 1696600 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : UCONN-4ADDF1049

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.201 3414528 Bytes 9/3/2009 18:15:22
ANTIVIR3.VDF : 7.1.5.219 206848 Bytes 9/8/2009 18:15:24
Engineversion : 8.2.1.12
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.30 471418 Bytes 9/8/2009 18:15:41
AESCN.DLL : 8.1.2.5 127346 Bytes 9/8/2009 18:15:38
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/8/2009 18:15:37
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/8/2009 18:15:29
AEGEN.DLL : 8.1.1.61 364916 Bytes 9/8/2009 18:15:28
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.8 184692 Bytes 9/8/2009 18:15:25
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, September 08, 2009 14:16

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rotscxetqxxylb\imagepath
[INFO] The registry entry is invisible.
'93540' objects were checked, '6' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'TosBtProc.exe' - '1' Module(s) have been scanned
Scan process 'TosOBEX.exe' - '1' Module(s) have been scanned
Scan process 'TosAVRC.exe' - '1' Module(s) have been scanned
Scan process 'TosBtHSP.exe' - '1' Module(s) have been scanned
Scan process 'TosBtBty.exe' - '1' Module(s) have been scanned
Scan process 'TosBtKbd.exe' - '1' Module(s) have been scanned
Scan process 'TosBtHid.exe' - '1' Module(s) have been scanned
Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned
Scan process 'javaw.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'FNPLicensingService.exe' - '1' Module(s) have been scanned
Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned
Scan process 'MEAutoDetect.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'StatusClient.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'VPTray.exe' - '1' Module(s) have been scanned
Scan process 'ccApp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'pg_ctl.exe' - '1' Module(s) have been scanned
Scan process 'PESRV.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'inetd32.exe' - '1' Module(s) have been scanned
Scan process 'DefWatch.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'scardsvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ccSetMgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
68 processes with 68 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '77' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\SMS\PCW\I86\23079035\bin\AUTOUP.EXE
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050829.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050830.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050831.sys
[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
C:\Program Files\SMS\PCW\I86\23079035\bin\AUTOUP.EXE
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4afaac7f.qua'!
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050829.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4ad6ac5a.qua'!
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050830.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4f8dce73.qua'!
C:\System Volume Information\_restore{D20C67A3-EFBE-4063-B241-3B11311A6F35}\RP299\A0050831.sys
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '495d1473.qua'!


End of the scan: Tuesday, September 08, 2009 15:10
Used time: 53:22 Minute(s)

The scan has been done completely.

11932 Scanned directories
440500 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
440494 Files not concerned
1883 Archives were scanned
2 Warnings
6 Notes
93540 Objects were scanned with rootkit scan
6 Hidden objects were found

------------------------------------------------------------------------------------

Then, I ran MBAM over the next couple of days and it was still detecting a rootkit...Here's and example:


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/10/2009 10:26:43 PM
mbam-log-2009-09-10 (22-26-43).txt

Scan type: Quick Scan
Objects scanned: 111590
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxetqxxylb (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------

Then, it disappeared (no longer detected) with the update on 9/14/09:


Malwarebytes' Anti-Malware 1.41
Database version: 2796
Windows 5.1.2600 Service Pack 2

9/14/2009 2:53:09 PM
mbam-log-2009-09-14 (14-53-09).txt

Scan type: Quick Scan
Objects scanned: 111469
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------------------------

Encouraging...OK, so I finally ran SAS and here are the results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/16/2009 at 10:16 PM

Application Version : 4.28.1010

Core Rules Database Version : 4104
Trace Rules Database Version: 2044

Scan type : Complete Scan
Total Scan Time : 05:17:14

Memory items scanned : 262
Memory threats detected : 0
Registry items scanned : 6579
Registry threats detected : 0
File items scanned : 128744
File threats detected : 0


--------------------------------------------------------------

So it seems we may be clean...just one minor problem...my computer seems to be running REALLY SLOWLY the last few days...even moreso than before I had detected the malware/rootkit. To be honest, it wasn't really running slowly when infected, it just bluescreened that one time...

If I look at Task Manager, Firefox seems to be taking up a huge amount of processor memory...often in excess of 120K....I know I recently downloaded/installed the latest version of Firefox...is this a possible known glitch?

Thanks again for all your help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

Jeff


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 17 September 2009 - 09:27 AM

Hi,Some of the slowness may be a result of clearing all the Temp and cookie files.. The need to be repopulated at you r usual haunts. but I think we are possibly still infected or it has still hidden items. As it the rotscxetqxxylb (Rootkit.TDSS) file has been in and out of the scans since the first. With the ability to regenerate we need to get inside and be sure there are no traces.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 17 September 2009 - 12:03 PM

Funny that you mention that we still may be infected...

I literally was reading through the HJT instructions you referred me to when all of a sudden one of my programs tries to start up....Avira beeps and shows the following:


Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
detected in file 'C:\Program Files\SMS\PCW\I86\23079035\bin\AUTOUP.EXE.
Action performed: Deny access

I click OK and almost immediately after, the same thing comes up:


Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
detected in file 'C:\Program Files\SMS\PCW\I86\23079035\bin\AUTOUP.EXE.
Action performed: Deny access


YUCK!

Anything else to do in the meantime, or just go forward with the HJT instructions you just offered?


#12 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 17 September 2009 - 12:12 PM

OK...this is interesting...it appears to be triggered by me trying to print out the HJT instructions page as a "pdf" file (I am currently away from a printer). Tried doing it again and got the same thing....other program attempted to startt up, and Avira did it's thing:

Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
detected in file 'C:\Program Files\SMS\PCW\I86\23079035\bin\AUTOUP.EXE.
Action performed: Deny access

Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr......... :thumbsup:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 17 September 2009 - 01:17 PM

Rerun MBAM (MalwareBytes) like this: May make your life easier to post that HJT log.


Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 justbrewit

justbrewit
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 17 September 2009 - 01:47 PM

Thanks, Boopme...

I just posted a HJT log a little while ago..

MBAM scan (found nothing):


Malwarebytes' Anti-Malware 1.41
Database version: 2817
Windows 5.1.2600 Service Pack 2

9/17/2009 2:45:25 PM
mbam-log-2009-09-17 (14-45-25).txt

Scan type: Quick Scan
Objects scanned: 112792
Time elapsed: 1 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



So we'll wait and see....thanks again...

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:31 AM

Posted 17 September 2009 - 01:54 PM

You're welcome!! they WILL answer you in a few days(very busy now there). They will find it for you too.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users