Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit (H8SRTd.sys) Redirecting Search Engines.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Malleus Maleficarum

Malleus Maleficarum

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 January 2010 - 03:26 PM

The title basically says it all. There could be more rootkits, but H8SRTd is the only one GMER found.
Nothing to describe really. The only visible infection is the redirection. Most of the time google gets redirected to a different site. I haven't seen the same one twice.

I'm running windows XP SP3. Firefox 3.5.6 Internet Explorer 8

I had initially thought I had gotten rid of what was infecting my computer. I guess I didn't get all of it. I couldn't find any guides on how to get rid of this type of rootkit, so I'm thinking that this topic could be turned into a guide for the time being. Seeing as there are 10+ topics about redirects.


New details: I cannot install MBAM and I cannot open up Spybot. Something is blocking those programs. I also cannot system restore.

Edited by Malleus Maleficarum, 05 January 2010 - 05:52 PM.


BC AdBot (Login to Remove)

 


#2 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 05 January 2010 - 10:41 PM

Did you try running TDSSKILLER from http://support.kaspersky.com/viruses/solutions?qid=208280684
like i recommended in your other thread?

#3 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 January 2010 - 10:16 AM

I did then. It said it found the H8SRTd and deleted it. I just ran it again and it found it again. Something tells me that that's not all that's infecting this computer :thumbsup:

The computer is now rebooting sometimes. I've tried to install audio drivers multiple times now and the computer will reboot before the installation finishes.

Edited by Malleus Maleficarum, 06 January 2010 - 10:21 AM.


#4 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 January 2010 - 06:49 PM

The TDSS killer got rid of that H8SRTd rootkit again. But my computer is still crashing when I try to install an audio driver. (Realtek AC'97 Audio)

#5 SuperBusa

SuperBusa

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 06 January 2010 - 06:52 PM

I'd recommend reading this before you use TDSSKiller ... it messed up my machine when I ran it.
http://www.bleepingcomputer.com/forums/t/284553/tdsskiller-killed-my-computer/


I followed the instructions from the download site [ http://support.kaspersky.com/viruses/solutions?qid=208280684 ], so don't know what happened.

Here are their instructions from Kaspersky Labs:

Disinfection of an infected system

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

Edited by SuperBusa, 06 January 2010 - 08:19 PM.


#6 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 January 2010 - 11:02 PM

Pretty certain TDSS killer has nothing to do with my audio driver getting screwed up. I think this topic needs to be moved to the hardware problems thread or something like that :|.

#7 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 06 January 2010 - 11:06 PM

Try downloading rkill to your desktop from one of the following links. Double click the file and the screen should flash briefly. If it does not work try the next file.
try this one http://download.bleepingcomputer.com/grinler/rkill.pif
or this http://download.bleepingcomputer.com/grinler/rkill.scr
or this http://download.bleepingcomputer.com/grinler/rkill.exe
or this http://download.bleepingcomputer.com/grinler/rkill.com

Once you have successfully run rkill, download malwarebytes and save it as cleaner.exe. Update it and run a full scan. Remove anything it finds. Then download atf cleaner from http://www.atribune.org/index.php?option=c...5&Itemid=25
Next run a scan at http://www.eset.com/onlinescan/

Let me know how it works

#8 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 January 2010 - 05:19 PM

The Results. A few days ago I couldn't even open MBAM



Malwarebytes' Anti-Malware 1.43
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2010 4:17:47 PM
mbam-log-2010-01-07 (16-17-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 199344
Time elapsed: 47 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Keith\Local Settings\Temp\H8SRTfe9b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FB49F00-BE48-4B3D-A250-E2FB6D508742}\RP324\A0039197.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTobrulongtp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTtrmtahnatb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTcoapwdlynk.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT1ed8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT8b43.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

#9 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 07 January 2010 - 09:55 PM

Malleus,
did you run ATF cleaner and then run the online scan at ESET?

#10 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 January 2010 - 10:19 PM

Yeah. My situation is weird. MBAM will find stuff. It'll clean it. I'll run cleaners and stuff. Run a few extra scans with different programs. The coast looks clear. Then a day later it looks like it never left. Maybe this time will be different though?

Edited by Malleus Maleficarum, 07 January 2010 - 10:28 PM.


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:02 PM

Posted 07 January 2010 - 10:24 PM

Hello Malleus Maleficarum,

Rootkits are bad business; to remove it will require tools not used in the Am I Infected forum.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 January 2010 - 10:30 PM

Yes Sir!

Edited by Malleus Maleficarum, 07 January 2010 - 10:46 PM.


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:02 PM

Posted 08 January 2010 - 10:22 AM

Hello,

I see that you were successful in creating the logs for the HiJack This forum. Now for the hard and frustrating part: waiting.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/285217/infected-with-rootkit-h8srt-and-tdss/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users