Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Win32.TDSS.d


  • This topic is locked This topic is locked
2 replies to this topic

#1 phaidra

phaidra

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 21 January 2010 - 05:26 AM

Hi there. I have had this infection for 5+ days. It all began with my internet surfing randomly leading me other sites, many of which Google reported as known attack sites. I was using Norton at the time and it never picked anything up. I have also tried Spybot S&D, AdAware, CCleaner, and finally, Kaspersky Internet Security, which finally found Rootkit.Win32.TDSS.d - but, Kaspersky deletes it, reboots, and the files have returned. I downloaded Malwarebytes, ran the update, scanned the system... and it didn't find anything.

I also tried a scan with XDelBox, which found that there was an issue with iastor.sys but was unable to quarantine or fix it. I tried to start in Safe Mode, but get the blue screen of death. I tried to create a Recovery Console, but it has an error, saying winnt32 doesn't work and quits me out of it. I also tried the TDSSKiller, TDSS rootkit removing tool from Kaspersky Lab and nothing worked. Per some other instructions I found online, I also cleaned up my hosts file, which was full of random websites.

I know there are a few other things I have tried, but I can't for the life of me remember them. What I do know is that I have gotten absolutely nowhere in the past 3-4 days.

I have never run into anything like this and am not sure what else to do. I will attach the files here that I read about in the guidelines. Please let me know what else you might need and thanks in advance for looking into this.


DDS (Ver_09-12-01.01) - NTFSx86
Run by lovenut at 2:02:05.54 on Thu 01/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1364 [GMT -8:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Documents and Settings\lovenut\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\lovenut\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: HepyxidaJgm.Hepyxida: {9832037d-6e51-4dcc-b197-1fe39cd09784} - c:\windows\system32\hepyxida.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lovenut\applic~1\mozilla\firefox\profiles\zefsrtg1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\lovenut\application data\mozilla\firefox\profiles\zefsrtg1.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\lovenut\application data\mozilla\firefox\profiles\zefsrtg1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\lovenut\application data\mozilla\firefox\profiles\zefsrtg1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: general.useragent.extra.prevx -
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-18 315408]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-12-24 99248]

=============== Created Last 30 ================

2010-01-21 09:41:36 0 d-----w- C:\XPSP2
2010-01-21 09:41:01 0 d-----w- C:\XPCD
2010-01-20 10:57:51 247808 ----a-w- c:\windows\system32\drivers\kav_iastor.sys
2010-01-20 10:31:29 0 d-----w- c:\docume~1\alluse~1\applic~1\RegAce
2010-01-20 10:31:27 0 d-----w- c:\program files\RegAce
2010-01-20 10:13:34 53136 ----a-w- c:\windows\system32\PxSecure.dll-572468
2010-01-20 09:50:51 0 d-----w- c:\windows\system32\vmm32
2010-01-19 04:06:53 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-19 04:06:53 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-19 04:05:57 0 d-----w- c:\program files\Kaspersky Lab
2010-01-19 04:05:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-01-19 03:58:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-01-19 02:35:17 526 ----a-w- c:\windows\system32\.crusader
2010-01-19 02:35:17 234 ----a-w- c:\windows\system32\bootdelete.lst
2010-01-19 02:35:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-01-19 02:32:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-19 02:32:26 0 d-----w- c:\program files\Hitman Pro 3.5
2010-01-19 02:32:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-01-19 01:25:17 0 d-----w- c:\docume~1\lovenut\applic~1\Malwarebytes
2010-01-19 01:25:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 01:25:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 01:25:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 01:25:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 22:29:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-18 22:29:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-18 20:21:16 0 d-----w- c:\program files\CCleaner
2010-01-13 17:34:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-20 20:44:44 34068 ----a-w- c:\windows\fonts\Wild Script.ttf
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll

============= FINISH: 2:03:44.98 ===============










Full Scan: stopped 2 days ago (events: 3, objects: 1, time: 00:00:47)
1/18/2010 8:29:54 PM Task stopped
1/18/2010 8:29:08 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:29:07 PM Task started
Disinfect active threats: completed 2 days ago (events: 5, objects: 3318, time: 00:00:55)
1/18/2010 8:30:49 PM Task completed
1/18/2010 8:30:00 PM Untreated: Rootkit.Win32.TDSS.d System Memory Skipped by user
1/18/2010 8:30:00 PM Untreated: Rootkit.Win32.TDSS.d System Memory Cannot be disinfected
1/18/2010 8:29:54 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:29:54 PM Task started
Full Scan: stopped 2 days ago (events: 3, objects: 2, time: 00:01:30)
1/18/2010 8:34:34 PM Task stopped
1/18/2010 8:34:03 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:33:04 PM Task started
Disinfect active threats: completed 2 days ago (events: 5, objects: 3177, time: 00:00:32)
1/18/2010 8:34:34 PM Task started
1/18/2010 8:34:34 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:34:48 PM Untreated: Rootkit.Win32.TDSS.d System Memory Cannot be disinfected
1/18/2010 8:34:48 PM Untreated: Rootkit.Win32.TDSS.d System Memory Skipped by user
1/18/2010 8:35:07 PM Task completed
Full Scan: stopped 2 days ago (events: 5, objects: 11311, time: 00:06:09)
1/18/2010 8:37:43 PM Task started
1/18/2010 8:37:44 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:38:58 PM Untreated: Rootkit.Win32.TDSS.d System Memory Cannot be disinfected
1/18/2010 8:38:58 PM Untreated: Rootkit.Win32.TDSS.d System Memory Skipped by user
1/18/2010 8:43:53 PM Task stopped
Full Scan: stopped 2 days ago (events: 3, objects: 4, time: 00:00:07)
1/18/2010 8:55:16 PM Task stopped
1/18/2010 8:55:11 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:55:09 PM Task started
Disinfect active threats: completed 2 days ago (events: 7, objects: 3026, time: 00:00:28)
1/18/2010 8:55:44 PM Task completed
1/18/2010 8:55:18 PM Disinfected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:55:18 PM Disinfected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:55:17 PM Cannot be backed up: Rootkit.Win32.TDSS.y Unknown application
1/18/2010 8:55:16 PM Detected: Rootkit.Win32.TDSS.y Unknown application
1/18/2010 8:55:16 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:55:16 PM Task started
Full Scan: completed 2 days ago (events: 8, objects: 308863, time: 00:58:10)
1/18/2010 8:57:35 PM Task started
1/18/2010 8:57:37 PM Detected: Rootkit.Win32.TDSS.d System Memory
1/18/2010 8:57:56 PM Untreated: Rootkit.Win32.TDSS.d System Memory Cannot be disinfected
1/18/2010 8:57:56 PM Untreated: Rootkit.Win32.TDSS.d System Memory Skipped by user
1/18/2010 9:54:35 PM Detected: Rootkit.Win32.TDSS.y c:\WINDOWS\system32\drivers\kav_iastor.sys
1/18/2010 9:54:38 PM Untreated: Rootkit.Win32.TDSS.y c:\WINDOWS\system32\drivers\kav_iastor.sys Cannot be disinfected
1/18/2010 9:55:45 PM Deleted: Rootkit.Win32.TDSS.y c:\WINDOWS\system32\drivers\kav_iastor.sys
1/18/2010 9:55:46 PM Task completed
Rootkit Scan: completed 2 days ago (events: 2, objects: 651, time: 00:03:54)
1/18/2010 10:01:16 PM Task completed
1/18/2010 9:57:22 PM Task started
Rootkit Scan: completed 1 day ago (events: 2, objects: 668, time: 00:04:44)
1/19/2010 11:13:08 AM Task completed
1/19/2010 11:08:24 AM Task started
Objects Scan: stopped 1 day ago (events: 2, objects: 11, time: 00:00:05)
1/19/2010 8:04:07 PM Task stopped
1/19/2010 8:04:02 PM Task started
Objects Scan: stopped 23 hours ago (events: 2, objects: 3112, time: 00:00:49)
1/20/2010 2:57:28 AM Task stopped
1/20/2010 2:56:39 AM Task started
Full Scan: stopped 23 hours ago (events: 3, objects: 2, time: 00:00:15)
1/20/2010 2:57:46 AM Task stopped
1/20/2010 2:57:33 AM Detected: Rootkit.Win32.TDSS.d System Memory
1/20/2010 2:57:31 AM Task started
Disinfect active threats: completed 23 hours ago (events: 7, objects: 3272, time: 00:00:51)
1/20/2010 2:57:46 AM Task started
1/20/2010 2:57:46 AM Detected: Rootkit.Win32.TDSS.d System Memory
1/20/2010 2:57:49 AM Detected: Rootkit.Win32.TDSS.y Unknown application
1/20/2010 2:57:49 AM Cannot be backed up: Rootkit.Win32.TDSS.y Unknown application
1/20/2010 2:57:51 AM Disinfected: Rootkit.Win32.TDSS.d System Memory
1/20/2010 2:57:51 AM Disinfected: Rootkit.Win32.TDSS.d System Memory
1/20/2010 2:58:37 AM Task completed
Full Scan: stopped 23 hours ago (events: 5, objects: 993, time: 00:00:22)
1/20/2010 3:00:18 AM Task started
1/20/2010 3:00:20 AM Detected: Rootkit.Win32.TDSS.d System Memory
1/20/2010 3:00:30 AM Untreated: Rootkit.Win32.TDSS.d System Memory Cannot be disinfected
1/20/2010 3:00:30 AM Untreated: Rootkit.Win32.TDSS.d System Memory Skipped by user
1/20/2010 3:00:40 AM Task stopped
Rootkit Scan: completed 15 hours ago (events: 2, objects: 651, time: 00:04:33)
1/20/2010 11:05:12 AM Task completed
1/20/2010 11:00:39 AM Task started

Attached Files



BC AdBot (Login to Remove)

 


#2 phaidra

phaidra
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 21 January 2010 - 02:46 PM

You can go ahead and close this, sorry for the trouble.

The computer wouldn't so much as boot up this morning so I am currently reformatting.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,942 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:27 AM

Posted 21 January 2010 - 10:47 PM

Hello

Thank you for letting us know. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom fruits_cherry.gif
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users