Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by rootkit BackDoor.Tdss.565


  • This topic is locked This topic is locked
11 replies to this topic

#1 Tooz

Tooz

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 11 November 2009 - 01:34 AM

I am getting this everytime from DR.WEb
Process in memory: C:\Program Files\Internet Explorer\IEXPLORE.EXE:464;;BackDoor.Tdss.565;Eradicated.;
ran Malwarebytes -
Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 3, v.3311

11/11/2009 12:21:13 AM
mbam-log-2009-11-11 (00-21-10).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 346785
Time elapsed: 1 hour(s), 59 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ran TFC
ran SuperAntivirus free adition - shows nothing

I can't for some reason reboot in save mode.

will appriciate any help :thumbsup:

ps subscribed to this topic

Edited by Tooz, 11 November 2009 - 01:36 AM.


BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 11 November 2009 - 01:50 AM

Hello Tooz
your log shows "No action taken " with tha Malwarebytes log
Please update malwarebytes re-run a quick scan and let it fix anything it finds then post a new log back to this thread for review.

Thank you

D_N_M

#3 Tooz

Tooz
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 11 November 2009 - 10:08 AM

Here it is, thanks
Malwarebytes' Anti-Malware 1.41
Database version: 3146
Windows 5.1.2600 Service Pack 3, v.3311

11/11/2009 9:01:45 AM
mbam-log-2009-11-11 (09-01-45).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 287646
Time elapsed: 1 hour(s), 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 11 November 2009 - 10:19 AM

Hello Tooz

Great job with the scan :thumbsup:
Are you still having any problems?
Lets also run a scan with this http://www.superantispyware.com/
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
* In the Main Menu, click the Preferences... button.
* Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
* Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

If you cannot boot into safe mode, then perform your scans in normal mode.

{credits to quietman7}



Regards

D_N_M

#5 Tooz

Tooz
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 11 November 2009 - 07:38 PM

hello D_N_M

Still there as it was before

1)
ran SuperAntivirus free adition in normal mode(mentioned before I can't boot in save mode)
LOG:

Application Version : 4.29.1004

Core Rules Database Version : 4259
Trace Rules Database Version: 2145

Scan type : Complete Scan
Total Scan Time : 00:31:46

Memory items scanned : 420
Memory threats detected : 0
Registry items scanned : 6641
Registry threats detected : 0
File items scanned : 23602
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Alan\Cookies\alan@rambler[1].txt
C:\Documents and Settings\Alan\Cookies\alan@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Alan\Cookies\alan@content.yieldmanager[1].txt
C:\Documents and Settings\Alan\Cookies\alan@ad.wsod[2].txt
C:\Documents and Settings\Alan\Cookies\alan@interclick[2].txt
C:\Documents and Settings\Alan\Cookies\alan@tribalfusion[1].txt
C:\Documents and Settings\Alan\Cookies\alan@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Alan\Cookies\alan@collective-media[1].txt

2)ran Dr.Web
Log:
Process in memory: C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe:844;;BackDoor.Tdss.565;Eradicated.;

Like I saw before it attaches itself to the main processes like Explorer.exe. Skype.exe. etc. need something more radical here :trumpet:

also tried to scan with GMER - GMER crashing

update:

looks like combofix fixed it
here is a partial log:
......
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x909081F8]<<
kernel: MBR read successfully
user & kernel MBR OK
:flowers: Right there!!!
malicious code @ sector 0x1d1c4581 size 0x1e4 !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x01D1C4581 !

...................

running all anti-malware tools available on my machine and keeping my fingers crossed :thumbsup:

I'll keep you posted

thanks!

Edited by Tooz, 11 November 2009 - 09:50 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 AM

Posted 11 November 2009 - 09:52 PM

Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Tooz

Tooz
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 12 November 2009 - 12:16 AM

Hi boopme,

here the steps i went through

after full scale ran with antimalware log
Malwarebytes' Anti-Malware 1.41
Database version: 3152
Windows 5.1.2600 Service Pack 3, v.3311

11/11/2009 9:50:08 PM
mbam-log-2009-11-11 (21-50-08).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 281534
Time elapsed: 1 hour(s), 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{C8705760-F5B2-42EE-A5C3-E9A17C28067C}\RP205\A0051199.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

system rebooted

win32Diag log

Running from: C:\Documents and Settings\Alan\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Alan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

log.txt

Volume in drive C has no label.
Volume Serial Number is E863-DFDD

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

02/12/2008 02:59 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

02/12/2008 02:59 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

02/12/2008 02:58 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

02/12/2008 02:59 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

02/12/2008 02:59 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

02/12/2008 02:58 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

02/12/2008 02:59 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

02/12/2008 02:59 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

02/12/2008 02:58 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 51,791,118,336 bytes free


it still there.. :thumbsup:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/11/2009 at 11:54 PM

Application Version : 4.30.1004

Core Rules Database Version : 4263
Trace Rules Database Version: 2148

Scan type : Complete Scan
Total Scan Time : 00:27:03

Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 6626
Registry threats detected : 0
File items scanned : 23704
File threats detected : 2

Trojan.Agent/Gen-Nullo[Short]
E:\SYSTEM VOLUME INFORMATION\_RESTORE{C8705760-F5B2-42EE-A5C3-E9A17C28067C}\RP204\A0050584.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{C8705760-F5B2-42EE-A5C3-E9A17C28067C}\RP204\A0050585.EXE


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 12, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3, v.3311 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 12, 2009 06:50:24
Records in database: 3194318
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Objects scanned: 142918
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 06:33:02


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\iqawoxutapimo.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.emx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nvata.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\WINDOWS\iqadehib.dll Infected: Trojan-Downloader.Win32.Mufanom.esr 1

Edited by Tooz, 12 November 2009 - 08:44 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 AM

Posted 12 November 2009 - 05:09 PM

You will need to run HJT/DDS to dig this out.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Tooz

Tooz
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 13 November 2009 - 11:34 AM

Hey Boopme, ok...dds ran ok have log files(not sure if you need them since rootrepeal didn't work)
tried to run rootRepeal three times, it crashes the machine(goes to reboot mode and asking for mode to boot from)

I am actually starting packing up by baking up my data to be ready for worse. I may have to reinstall my OS with Win 7 Ult if worse cam to worse. but somehow I have a bad feeling about it.. let me know if there are any other options I have.

thanks

Edited by Tooz, 13 November 2009 - 11:46 AM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 AM

Posted 13 November 2009 - 12:17 PM

OK, good. Post the DDS in the HJT forum I linked to above. Tell them also RR did not run thanks.
Let me know if you got it posted.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Tooz

Tooz
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Chicago
  • Local time:09:51 AM

Posted 13 November 2009 - 02:44 PM

thanks boopme, just posted

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:51 AM

Posted 13 November 2009 - 02:53 PM

Ok did good, they will be along to clean that.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users