Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Trojan with ROOTKIT. Cannot remove.


  • This topic is locked This topic is locked
3 replies to this topic

#1 Smithy25

Smithy25

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 04 January 2010 - 12:40 PM

Hi, been referred from the 'Am i infected' Thread.

I have a tdss trojan on my computer, i cannot remove this from the instuctions in this thread

http://www.bleepingcomputer.com/forums/ind...p;#entry1565211

Ive been told to download and run Win32kDiag and post the log here.

This is the log, i think there should be more though but this is all -

Running from: C:\Users\Byron Smith\Desktop\Win32kDiag.exe

Log file at : C:\Users\Byron Smith\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\bthservsdp.dat

[1] 2008-09-30 23:03:31 12 C:\Windows\bthservsdp.dat ()

BC AdBot (Login to Remove)

 


#2 Smithy25

Smithy25
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 06 January 2010 - 11:54 AM

Hi there, ive been referred from the 'am i infected' thread.

I have a backdoor tdss trojan in my laptop somewhere along with a rootkit.

I cant run any anti virus programs, just says its stopped working everytime i boot one up.

I tried tdsskiller. No luck but heres the log


23:15:46:946 1328 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
23:15:46:946 1328 ================================================================================

23:15:46:946 1328 SystemInfo:

23:15:46:946 1328 OS Version: 6.0.6001 ServicePack: 1.0
23:15:46:946 1328 Product type: Workstation
23:15:46:946 1328 ComputerName: BYRON
23:15:46:946 1328 UserName: Byron Smith
23:15:46:946 1328 Windows directory: C:\Windows
23:15:46:946 1328 Processor architecture: Intel x86
23:15:46:946 1328 Number of processors: 2
23:15:46:946 1328 Page size: 0x1000
23:15:46:962 1328 Boot type: Normal boot
23:15:46:962 1328 ================================================================================

23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 ForceUnloadDriver: NtUnloadDriver error 2
23:15:46:962 1328 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\Drivers\KLMD.sys) returned status 0
23:15:46:962 1328 main: Driver KLMD successfully dropped
23:15:46:962 1328 main: Driver KLMD successfully loaded
23:15:46:962 1328
Scanning Registry ...
23:15:46:977 1328 ScanServices: Searching service UACd.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service TDSSserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service gaopdxserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service gxvxcserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 ScanServices: Searching service MSIVXserv.sys
23:15:46:977 1328 ScanServices: Open/Create key error 2
23:15:46:977 1328 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntoskrnl.exe, base addr: 8283C000
23:15:46:977 1328 UnhookRegistry: Kernel local addr: 1C80000
23:15:46:977 1328 UnhookRegistry: KeServiceDescriptorTable addr: 1DAC8C0
23:15:46:977 1328 UnhookRegistry: KiServiceTable addr: 1CED8D0
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey service number (local): 85
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey local addr: 1E53598
23:15:46:977 1328 KLMD_OpenDevice: Trying to open KLMD device
23:15:46:977 1328 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
23:15:46:977 1328 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x828919ED[0x4]
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey service number (kernel): 85
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x828A9AE4[0x4]
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey real addr: 82A0F598
23:15:46:977 1328 UnhookRegistry: NtEnumerateKey calc addr: 82A0F598
23:15:46:977 1328 UnhookRegistry: No SDT hooks found on NtEnumerateKey
23:15:46:977 1328 KLMD_ReadMem: Trying to ReadMemory 0x82A0F598[0xA]
23:15:46:977 1328 UnhookRegistry: No splicing found on NtEnumerateKey
23:15:46:993 1328
Scanning Kernel memory ...
23:15:46:993 1328 KLMD_OpenDevice: Trying to open KLMD device
23:15:46:993 1328 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
23:15:46:993 1328 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:15:46:993 1328 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85857608
23:15:46:993 1328 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
23:15:46:993 1328 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 863358B0
23:15:46:993 1328 KLMD_GetLowerDeviceObject: Trying to get lower device object for 863358B0
23:15:46:993 1328 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8585C028
23:15:46:993 1328 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8585C028
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x8585C028[0x38]
23:15:46:993 1328 DetectCureTDL3: DRIVER_OBJECT addr: 858795D0
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x858795D0[0xA8]
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x8585F198[0x208]
23:15:46:993 1328 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
23:15:46:993 1328 DetectCureTDL3: IrpHandler (0) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (1) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (2) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (3) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (4) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (5) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (6) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (7) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (8) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (9) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (10) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (11) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (12) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (13) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (14) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (15) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (16) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (17) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (18) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (19) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (20) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (21) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (22) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (23) addr: 8A8B6860
23:15:46:993 1328 DetectCureTDL3: IrpHandler (24) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (25) addr: 828CB827
23:15:46:993 1328 DetectCureTDL3: IrpHandler (26) addr: 828CB827
23:15:46:993 1328 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
23:15:46:993 1328 KLMD_ReadMem: DeviceIoControl error 1
23:15:46:993 1328 TDL3_StartIoHookDetect: Unable to get StartIo handler code
23:15:46:993 1328 TDL3_FileDetect: Processing driver: iaStor
23:15:46:993 1328 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\iastor.sys, C:\Windows\system32\Drivers\iastor.tsk, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\iastor.tsk
23:15:46:993 1328 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys
23:15:46:993 1328 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys
23:15:47:009 1328
Completed

Results:
23:15:47:009 1328 Infected objects in memory: 0
23:15:47:009 1328 Cured objects in memory: 0
23:15:47:009 1328 Infected objects on disk: 0
23:15:47:009 1328 Objects on disk cured on reboot: 0
23:15:47:009 1328 Objects on disk deleted on reboot: 0
23:15:47:009 1328 Registry nodes deleted on reboot: 0
23:15:47:009 1328

Edited by Orange Blossom, 06 January 2010 - 07:22 PM.
Merged topics. ~ OB


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 12 January 2010 - 08:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 17 January 2010 - 02:06 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users