Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NASTY TDSS ROOTKIT! (REALLY NASTY BUGGER) HELP!


  • This topic is locked This topic is locked
2 replies to this topic

#1 VenomRx

VenomRx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 16 April 2010 - 06:28 PM

Hello! It seems that I have a "TDSS ROOTKIT" in my computer. My brother uses the infected computer most of the time, so, God knows where he got it from. I ran malwarebytes anti-malware, nod32 smart security, prevx, hitman pro, gmer, and tdsskiller. However, none of them seem to remove it. (Thanks In Advance) Here are my latest logs:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 12:52:37
Windows 5.1.2600 Service Pack 3
Running: gmerr.exe; Driver: C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\afddqaoc.sys


---- System - GMER 1.0.15 ----

SSDT 86D2F580 ZwAssignProcessToJobObject
SSDT 86D30100 ZwDebugActiveProcess
SSDT 86D2FB30 ZwDuplicateObject
SSDT 86D2ECC0 ZwOpenProcess
SSDT 86D2EFC0 ZwOpenThread
SSDT 86D2F9C0 ZwProtectVirtualMemory
SSDT 86D2F860 ZwSetContextThread
SSDT 86D2F6E0 ZwSetInformationThread
SSDT 86D2C700 ZwSetSecurityObject
SSDT 86D2F420 ZwSuspendProcess
SSDT 86D2F2C0 ZwSuspendThread
SSDT 86D2EE50 ZwTerminateProcess
SSDT 86D2F150 ZwTerminateThread
SSDT 86D2FF50 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 872D4AC8

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P0Y8WPMF\xd_receiver[1].htm 591 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


17:31:22:843 3980 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:31:22:843 3980 ================================================================================
17:31:22:843 3980 SystemInfo:

17:31:22:843 3980 OS Version: 5.1.2600 ServicePack: 3.0
17:31:22:843 3980 Product type: Workstation
17:31:22:843 3980 ComputerName: ADMIN-8817046C
17:31:22:843 3980 UserName: George Luis
17:31:22:843 3980 Windows directory: C:\WINDOWS
17:31:22:843 3980 Processor architecture: Intel x86
17:31:22:859 3980 Number of processors: 1
17:31:22:859 3980 Page size: 0x1000
17:31:22:859 3980 Boot type: Normal boot
17:31:22:859 3980 ================================================================================
17:31:22:937 3980 UnloadDriverW: NtUnloadDriver error 2
17:31:22:937 3980 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:31:23:468 3980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:31:23:468 3980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:31:23:468 3980 wfopen_ex: Trying to KLMD file open
17:31:23:468 3980 wfopen_ex: File opened ok (Flags 2)
17:31:23:468 3980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:31:23:468 3980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:31:23:468 3980 wfopen_ex: Trying to KLMD file open
17:31:23:468 3980 wfopen_ex: File opened ok (Flags 2)
17:31:23:468 3980 Initialize success
17:31:23:468 3980
17:31:23:468 3980 Scanning Services ...
17:31:24:671 3980 Raw services enum returned 365 services
17:31:24:687 3980
17:31:24:687 3980 Scanning Kernel memory ...
17:31:24:687 3980 Devices to scan: 4
17:31:24:687 3980
17:31:24:703 3980 Driver Name: Disk
17:31:24:703 3980 IRP_MJ_CREATE : F7824BB0
17:31:24:703 3980 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:31:24:703 3980 IRP_MJ_CLOSE : F7824BB0
17:31:24:703 3980 IRP_MJ_READ : F781ED1F
17:31:24:703 3980 IRP_MJ_WRITE : F781ED1F
17:31:24:703 3980 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:31:24:703 3980 IRP_MJ_SET_INFORMATION : 804FA88E
17:31:24:703 3980 IRP_MJ_QUERY_EA : 804FA88E
17:31:24:703 3980 IRP_MJ_SET_EA : 804FA88E
17:31:24:703 3980 IRP_MJ_FLUSH_BUFFERS : F781F2E2
17:31:24:703 3980 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:31:24:703 3980 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:31:24:703 3980 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:31:24:703 3980 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:31:24:703 3980 IRP_MJ_DEVICE_CONTROL : F781F3BB
17:31:24:703 3980 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7822F28
17:31:24:703 3980 IRP_MJ_SHUTDOWN : F781F2E2
17:31:24:703 3980 IRP_MJ_LOCK_CONTROL : 804FA88E
17:31:24:703 3980 IRP_MJ_CLEANUP : 804FA88E
17:31:24:703 3980 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:31:24:703 3980 IRP_MJ_QUERY_SECURITY : 804FA88E
17:31:24:703 3980 IRP_MJ_SET_SECURITY : 804FA88E
17:31:24:703 3980 IRP_MJ_POWER : F7820C82
17:31:24:703 3980 IRP_MJ_SYSTEM_CONTROL : F782599E
17:31:24:703 3980 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:31:24:703 3980 IRP_MJ_QUERY_QUOTA : 804FA88E
17:31:24:703 3980 IRP_MJ_SET_QUOTA : 804FA88E
17:31:24:765 3980 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:31:24:765 3980
17:31:24:765 3980 Driver Name: Disk
17:31:24:765 3980 IRP_MJ_CREATE : F7824BB0
17:31:24:765 3980 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:31:24:765 3980 IRP_MJ_CLOSE : F7824BB0
17:31:24:765 3980 IRP_MJ_READ : F781ED1F
17:31:24:765 3980 IRP_MJ_WRITE : F781ED1F
17:31:24:765 3980 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:31:24:765 3980 IRP_MJ_SET_INFORMATION : 804FA88E
17:31:24:765 3980 IRP_MJ_QUERY_EA : 804FA88E
17:31:24:765 3980 IRP_MJ_SET_EA : 804FA88E
17:31:24:765 3980 IRP_MJ_FLUSH_BUFFERS : F781F2E2
17:31:24:765 3980 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:31:24:765 3980 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:31:24:765 3980 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:31:24:765 3980 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:31:24:765 3980 IRP_MJ_DEVICE_CONTROL : F781F3BB
17:31:24:765 3980 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7822F28
17:31:24:765 3980 IRP_MJ_SHUTDOWN : F781F2E2
17:31:24:765 3980 IRP_MJ_LOCK_CONTROL : 804FA88E
17:31:24:765 3980 IRP_MJ_CLEANUP : 804FA88E
17:31:24:765 3980 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:31:24:765 3980 IRP_MJ_QUERY_SECURITY : 804FA88E
17:31:24:765 3980 IRP_MJ_SET_SECURITY : 804FA88E
17:31:24:765 3980 IRP_MJ_POWER : F7820C82
17:31:24:765 3980 IRP_MJ_SYSTEM_CONTROL : F782599E
17:31:24:765 3980 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:31:24:765 3980 IRP_MJ_QUERY_QUOTA : 804FA88E
17:31:24:765 3980 IRP_MJ_SET_QUOTA : 804FA88E
17:31:24:796 3980 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:31:24:796 3980
17:31:24:796 3980 Driver Name: atapi
17:31:24:796 3980 IRP_MJ_CREATE : F76FB6F2
17:31:24:796 3980 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:31:24:796 3980 IRP_MJ_CLOSE : F76FB6F2
17:31:24:796 3980 IRP_MJ_READ : 804FA88E
17:31:24:796 3980 IRP_MJ_WRITE : 804FA88E
17:31:24:796 3980 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:31:24:796 3980 IRP_MJ_SET_INFORMATION : 804FA88E
17:31:24:796 3980 IRP_MJ_QUERY_EA : 804FA88E
17:31:24:796 3980 IRP_MJ_SET_EA : 804FA88E
17:31:24:796 3980 IRP_MJ_FLUSH_BUFFERS : 804FA88E
17:31:24:796 3980 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:31:24:796 3980 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:31:24:796 3980 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:31:24:796 3980 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:31:24:796 3980 IRP_MJ_DEVICE_CONTROL : F76FB712
17:31:24:796 3980 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76F7852
17:31:24:796 3980 IRP_MJ_SHUTDOWN : 804FA88E
17:31:24:796 3980 IRP_MJ_LOCK_CONTROL : 804FA88E
17:31:24:796 3980 IRP_MJ_CLEANUP : 804FA88E
17:31:24:796 3980 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:31:24:796 3980 IRP_MJ_QUERY_SECURITY : 804FA88E
17:31:24:796 3980 IRP_MJ_SET_SECURITY : 804FA88E
17:31:24:796 3980 IRP_MJ_POWER : F76FB73C
17:31:24:796 3980 IRP_MJ_SYSTEM_CONTROL : F7702336
17:31:24:796 3980 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:31:24:796 3980 IRP_MJ_QUERY_QUOTA : 804FA88E
17:31:24:796 3980 IRP_MJ_SET_QUOTA : 804FA88E
17:31:24:921 3980 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
17:31:24:921 3980
17:31:24:921 3980 Driver Name: atapi
17:31:24:921 3980 IRP_MJ_CREATE : 872D4AC8
17:31:24:921 3980 IRP_MJ_CREATE_NAMED_PIPE : 872D4AC8
17:31:24:921 3980 IRP_MJ_CLOSE : 872D4AC8
17:31:24:921 3980 IRP_MJ_READ : 872D4AC8
17:31:24:921 3980 IRP_MJ_WRITE : 872D4AC8
17:31:24:921 3980 IRP_MJ_QUERY_INFORMATION : 872D4AC8
17:31:24:921 3980 IRP_MJ_SET_INFORMATION : 872D4AC8
17:31:24:921 3980 IRP_MJ_QUERY_EA : 872D4AC8
17:31:24:921 3980 IRP_MJ_SET_EA : 872D4AC8
17:31:24:921 3980 IRP_MJ_FLUSH_BUFFERS : 872D4AC8
17:31:24:921 3980 IRP_MJ_QUERY_VOLUME_INFORMATION : 872D4AC8
17:31:24:921 3980 IRP_MJ_SET_VOLUME_INFORMATION : 872D4AC8
17:31:24:921 3980 IRP_MJ_DIRECTORY_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_FILE_SYSTEM_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_DEVICE_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_INTERNAL_DEVICE_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_SHUTDOWN : 872D4AC8
17:31:24:921 3980 IRP_MJ_LOCK_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_CLEANUP : 872D4AC8
17:31:24:921 3980 IRP_MJ_CREATE_MAILSLOT : 872D4AC8
17:31:24:921 3980 IRP_MJ_QUERY_SECURITY : 872D4AC8
17:31:24:921 3980 IRP_MJ_SET_SECURITY : 872D4AC8
17:31:24:921 3980 IRP_MJ_POWER : 872D4AC8
17:31:24:921 3980 IRP_MJ_SYSTEM_CONTROL : 872D4AC8
17:31:24:921 3980 IRP_MJ_DEVICE_CHANGE : 872D4AC8
17:31:24:921 3980 IRP_MJ_QUERY_QUOTA : 872D4AC8
17:31:24:921 3980 IRP_MJ_SET_QUOTA : 872D4AC8
17:31:24:921 3980 Driver "atapi" infected by TDSS rootkit!
17:31:24:937 3980 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
17:31:24:937 3980 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 17:31:24:937 3980 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
17:31:24:937 3980 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:31:25:796 3980 vfvi6
17:31:26:312 3980 !dsvbh1
17:31:36:234 3980 dsvbh2
17:31:36:234 3980 fdfb2
17:31:36:234 3980 Backup copy found, using it..
17:31:36:921 3980 will be cured on next reboot
17:31:36:921 3980 Reboot required for cure complete..
17:31:37:265 3980 Cure on reboot scheduled successfully
17:31:37:265 3980
17:31:37:265 3980 Completed
17:31:37:265 3980
17:31:37:265 3980 Results:
17:31:37:265 3980 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:31:37:265 3980 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:31:37:265 3980 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:31:37:265 3980
17:31:37:265 3980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:31:37:265 3980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:31:37:265 3980 UnloadDriverW: NtUnloadDriver error 1
17:31:37:265 3980 KLMD(ARK) unloaded successfully



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3993

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-15 03:03:53 PM
mbam-log-2010-04-15 (15-03-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 158519
Time elapsed: 1 hour(s), 28 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:35 AM

Posted 21 April 2010 - 07:07 PM

TDSS is evolving fast at the moment and some tools are lagging behind it. Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:35 AM

Posted 26 April 2010 - 06:46 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users