Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS Hacktool.rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 xmyriadx

xmyriadx

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 05 November 2009 - 12:23 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/264741/another-virus-rootkittdss-hacktoolrootkit/ ~ OB

Rootkit.TDSS Hacktool.rootkit <----- may have been removed, not sure though.


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/17 23:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE661000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7D44000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDFD0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ec794

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ecf1e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8ebd0a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xee8eb384

==EOF==


Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


Volume in drive C has no label.
Volume Serial Number is 64E3-C6A1

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

08/04/2004 01:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 01:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
6 File(s) 1,286,144 bytes
0 Dir(s) 49,205,882,880 bytes free


Malwarebytes' Anti-Malware 1.38
Database version: 2358
Windows 5.1.2600 Service Pack 2

10/18/2009 8:00:42 PM
mbam-log-2009-10-18 (20-00-42).txt

Scan type: Quick Scan
Objects scanned: 94360
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This post has been edited by xmyriadx: Oct 18 2009, 08:15 P


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2009 at 11:08 PM

Application Version : 4.29.1004

Core Rules Database Version : 4172
Trace Rules Database Version: 2093

Scan type : Complete Scan
Total Scan Time : 02:31:46

Memory items scanned : 273
Memory threats detected : 0
Registry items scanned : 6012
Registry threats detected : 0
File items scanned : 75145
File threats detected : 0



DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 21:13:42.65 on Wed 11/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.491 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1133070972\ee\AOLSoftware.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\3.23.0.11\PlaxoHelper_en.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PlaxoUpdate] c:\program files\plaxo\3.23.0.11\PlaxoHelper_en.exe -a
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [PlaxoSysTray] c:\program files\plaxo\3.23.0.11\PlaxoSysTray.exe
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [HostManager] c:\program files\common files\aol\1133070972\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file://d:\components\Liquid.ocx
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: fairydom - No File
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\7tzv7ke8.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-5-16 6097]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-7-28 356920]
S3 DPS24USB;AKAI DPS24 Driver;c:\windows\system32\drivers\DPS24USB.sys [2008-6-11 12273]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-5-16 299923]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2009-1-7 47360]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\drivers\sustucap.sys [2009-1-7 47360]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [2009-1-7 28032]

=============== Created Last 30 ================

2009-10-25 06:05:35 83784 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-19 03:21:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-19 03:21:02 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-19 03:21:02 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-09-22 20:01:49 28032 ----a-w- c:\windows\system32\drivers\sustucau.sys
2009-09-22 20:01:47 47360 ----a-w- c:\windows\system32\drivers\sustucap.sys
2009-09-22 20:01:46 47360 ----a-w- c:\windows\system32\drivers\sustucam.sys
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-06-23 09:35:17 17952 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-23 09:35:17 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 21:14:14.34 ===============

Attached Files


Edited by Orange Blossom, 05 November 2009 - 10:55 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 09 November 2009 - 07:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 xmyriadx

xmyriadx
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 November 2009 - 07:58 AM

Please help, thanks, not sure if it's gone.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 10 November 2009 - 08:48 AM

Hi xmyriadx,

Most of the tools that you posted logs from would be able to detect TDSS rootkit activity but none have.

So, it looks like you don't have any malware, I believe the scans back that up.

Are you experiencing any symptoms?

What happened in the first place which made you suspect malware involvement? When you say it "just showed up" what do you mean by that?

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 xmyriadx

xmyriadx
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 November 2009 - 09:53 PM

it started off with my Spyware Doctor detecting it. then it got quarantined with SD, and then removed. so i guess it did the trick? no problems with the way my computer is running currently. just worried about the registry or if it is hidden, but nothing comes up, so I guess I'm clean? Thanks for your help!!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 11 November 2009 - 07:36 AM

No problem :(

-------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users