Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections including AVR09 and TDSSserv on Windows XP


  • This topic is locked This topic is locked
3 replies to this topic

#1 CCouture

CCouture

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 07 October 2009 - 03:05 PM

Hi Folks!

I have a computer running Window XP with multiple infections. Looking up the symptoms it appears that the computer is infected with SillyDL.4PW, Win32.TrojanTDSS and there is also a fake anti-virus AdvancedVirusRemoval 2009. There may also be others I just haven't identified yet.

I tried running the tools in the prep guide but they don't run. DDS opens but never produces the reports in notepad and the same thing happens with RootRepeal.

Everything that runs produces an error message "filename.exe\.dll - Bad image. hjgruilyprridw.dll is not a valid windows image. Please check this against your installation diskette."

I am now not sure how to proceed.

I have UBCD for Windows which I can start from but I cannot get any tools to run this way. I can start windows "normally" but I get the errors listed above and the tools won't run as I said.

Any suggestions?

Right now I am trying to run a copy of spybot search and destroy from the UBCD for windows cd to see if I can get some stuff cleaned enough to run the tools suggested by the prep guide.

Should I just give up the ghost and reformat?

Thank you for any suggestions or comments you may have.

Caroline

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 AM

Posted 07 October 2009 - 04:08 PM

Hello and welcome.
It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.


This will be about a week wait so if reformatting is an option that may be quicker. Are you running XP or Vista?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CCouture

CCouture
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 08 October 2009 - 10:02 AM

Thank you! I have done as you asked and created a new topic with the log. The computer is running Windows XP.

The new topic references your name and the same topic title.

Thank you!
Caroline


Hello and welcome.
It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

[snip]



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:08 AM

Posted 08 October 2009 - 11:14 AM

Your log is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users