Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I have a rootkit and Google redirect


  • This topic is locked This topic is locked
6 replies to this topic

#1 aglandiir

aglandiir

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 13 October 2009 - 12:19 PM

Hi,

I made the extremely silly mistake of connecting directly to the Internet without a firewall up, and now, links from Google search results get redirected to a random other (presumeably malicious) search engine. I did a little research, and the Go.Google virus seemed like a match, but my computer doesn't have any of the files associated with that virus, and the redirects do not go to go.google.com, so I don't think that's what it is.

I tried rebooting in safe mode to run MalwareBytes, AdAware, etc., but found that safe mode had been disabled; it gets a STOP bluescreen after loading all devices. I checked the registry, and the SafeBoot key is present and unmodified, as far as I can tell.

At this point, the infection started to seem like the TDSS rootkit, but I couldn't find any of the hallmarks of that infection, either. There are no strange hidden or non-plug-and-play devices, and no TDSSServ.sys device.

RootkitRevealer came back with nothing. None of my security software can successfully update; it looks like it works, but the definitions aren't actually downloaded. Also, Symantec AV cannot complete a system scan; the scan ends (no crash or anything strange) after 1446 files scanned, every time. I also tried booting in Knoppix and running ClamAV, but that came back clean, too.

Next, I tried running SysInternals Procmon, and by chance, observed the following line when I opened Notepad:

11:50:35 AM NOTEPAD.EXE 5792 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tdlwsp.dll NAME NOT FOUND Desired Access: Read

So, I searched for tdlwsp.dll and got a bunch of fresh (within the last month) hits, indicating that tdlwsp.dll is part of the TDSS rootkit after all.

However!

All of the information I found (including a thread on bleepingcomputer: http://www.bleepingcomputer.com/forums/t/260359/rootkittdss-infection/ ) showed that tdlwsp.dll was being mounted under the hard disk controller as a hidden virtual device, for example: \\?\globalroot\Device\Ide\IdePort3\ppbwuxte\ppbwuxte\tdlwsp.dll... but my computer doesn't seem to show this symptom. None of the scans I run come back with a result like that (or any result at all). In fact, the only reference to tdlwsp.dll on my system that I can find is in Procmon; it looks like it's getting loaded every time a new program is launched.

So... yeah, sorry for the long story, but that's where I am. Luckily, the infection seems to only be redirecting Google links and disabling safe mode, for now at least. Help, please?

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:36 AM

Posted 13 October 2009 - 01:23 PM

Try GMER

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 aglandiir

aglandiir
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 14 October 2009 - 03:16 PM

GMER is getting a bluescreen in the middle of the scan. I tried it twice; once it came up with:

STOP: 0x0000007E (0x00000000, 0x00000000, 0x00000000, 0x00000000)

The second time, it ran much further, but got this:

The problem seems to be caused by the following file: pxloipob.sys
PAGE_FAULT_IN_NONPAGED_AREA
STOP: 0x00000050 (0xAE30B000, 0x00000000, 0x9BE799DF, 0x00000000)
pxloipob.sys - Address 9BE799DF base at 9BE6E000, DateStamp 4ac85061

As such, I wasn't able to get any logs from GMER. Should I try again?

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:36 AM

Posted 14 October 2009 - 09:54 PM

No, let's try rootrepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 aglandiir

aglandiir
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 15 October 2009 - 03:50 PM

Here's the RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/15 16:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9F493000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9B68D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\common
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\seccache.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtns.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Owner
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Owner\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Owner\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Owner\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Owner\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071015.009\EraserUtilDrv10733.sys
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Owner\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\cspContainer.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Lenovo\Client Security Solution\hibernation.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2961299988-2761267070-2844025327-1010
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\f0043a42-8fc7-48de-bbf0-b51582e8de47
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\6ae10a9a-28e0-402c-9c78-9a196eae0354
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\059bbc5e-9800-466d-9ff2-4845dfdf3bd1
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\b19a3e53-bb71-4968-8464-0545ae90072e
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\d4074145-72ed-40df-aeb7-1ceb12e62cc6
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\f0d6c8e8-a704-48fe-a33c-7472380d7a1b
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-2961299988-2761267070-2844025327-1010\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\9891a2e8-673a-41fb-b115-a0c318cc7c65
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\f0043a42-8fc7-48de-bbf0-b51582e8de47
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\6ae10a9a-28e0-402c-9c78-9a196eae0354
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\9891a2e8-673a-41fb-b115-a0c318cc7c65
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Charlo2\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\f0043a42-8fc7-48de-bbf0-b51582e8de47
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1988044591-4220780109-2101393241-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\6ae10a9a-28e0-402c-9c78-9a196eae0354
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2559790823-37262495-1464309930-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\9891a2e8-673a-41fb-b115-a0c318cc7c65
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4056031327-3937841889-3694773322-1003\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\0e5e09ed-acbc-48dc-b6fd-7d67a3d83614
Status: Invisible to theSSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8910c418

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba8f887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba8f8bfe

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 1552) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 3088) Address: 0x10000000 Size: 28672

==EOF==

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:36 AM

Posted 16 October 2009 - 02:09 PM

You have signs of the TDSS rootkit. In order for it to be p[roperly cleaned, you need to move to the HJT/Advanced malware forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:36 AM

Posted 23 October 2009 - 07:46 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/265040/tdss-infection-well-hidden-and-obnoxious/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users