Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS RootKit removal


  • This topic is locked This topic is locked
4 replies to this topic

#1 gnomixa

gnomixa

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 18 April 2010 - 10:31 PM

I got this malware (tdss rootkit), the symptoms are that my google searches are being hijacked and tabs open once in awhile, I tried the following anti malware packages:
ad-aware
malwarebytes
hitman-pro-3.5

I also have avg 9.0 (resident anti-virus) as well as I scanned the system with trendmicro HouseCall. None of the tools listed above found anything. Yet, I was still getting google search results redirected to random sites.

Then I downloaded tdsskiller and it found the malware, promised to clean it on reboot but after reboot it's till here (:

So, first I posted here
http://www.bleepingcomputer.com/forums/t/310890/tdss-rootkit/

and I am following Budapest's instructions, starting at step 7 here
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

GMER didn't work for me, this is what I get in the midst of running it:

"A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: fxtdypog.sys
PAGE_FAULT_IN_NONPAGED_AREA
Technical info:
Stop 0X00000050 (0XFDB9F000, OX00000000, OXA7ACCD3D, OX00000000)
fxtdypog.sys address A7ACCD3D base at A7AC1000, Date stamp 4b274f8d"

------------------------

THIS IS my DSS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Zhenya at 19:48:13.26 on Sun 04/18/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.821 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Zhenya\LOCALS~1\Temp\Rar$EX00.906\TDSSKiller.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Zhenya\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.icq.com/
uWindow Title = Microsoft Internet Explorer provided by Shaw Internet
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://start.shaw.ca
uInternet Settings,ProxyServer = proxy:8080
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: ccc-core-static - msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zhenya\applic~1\mozilla\firefox\profiles\61712in4.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\zhenya\application data\mozilla\firefox\profiles\61712in4.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-18 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 242696]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S0 lcoxs;lcoxs; [x]
S2 gupdate1c9d95ed821112e;Google Update Service (gupdate1c9d95ed821112e);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]

=============== Created Last 30 ================

2010-04-19 01:26:02 96512 ----a-w- c:\windows\system32\drivers\tskE.tmp
2010-04-19 01:26:02 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-19 01:07:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-19 00:42:35 0 d-----w- c:\program files\TrendMicro
2010-04-19 00:08:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 00:08:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-19 00:08:06 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-18 23:52:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-18 23:52:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 23:52:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 23:50:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-18 23:49:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-18 23:44:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-18 23:44:05 0 d-----w- c:\program files\Lavasoft
2010-04-18 20:24:29 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-04-18 20:24:29 215920 ----a-w- c:\windows\system32\muweb.dll
2010-04-18 20:24:29 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-04-15 00:48:46 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-15 00:41:16 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-14 00:37:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad
2010-04-13 22:48:44 0 d-----w- c:\docume~1\zhenya\applic~1\Malwarebytes
2010-04-13 22:48:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 07:46:15 0 d-----w- c:\docume~1\zhenya\applic~1\10ED78F5A34CECC87251CF4765A4F2E5
2010-04-07 05:33:03 0 d-----w- c:\docume~1\zhenya\applic~1\FileOpen
2010-04-07 05:33:03 0 d-----w- c:\docume~1\alluse~1\applic~1\FileOpen
2010-04-07 05:31:41 0 d-----w- c:\program files\FileOpen
2010-03-20 07:14:17 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-04-19 01:17:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-18 22:55:53 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys.tmp
2010-04-18 21:02:10 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-03-17 15:09:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 15:09:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 15:08:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-10 10:08:42 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 19:49:37.65 ===============


----------------

attach.txt attached as per directions

Please take a look at let me know what the next step is.


Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:39 PM

Posted 23 April 2010 - 05:43 PM

Hi gnomixa, and welcome to Bleeping Computer.

It looks like you're runing two antivirus programs at the same time: Microsoft Security Essentials and AVG 9.0 - it's not recommended to run more than one antivirus program in resident mode because they can conflict with each other.
I strongly suggest you uninstall one of these programs - your choice...
Use Start > Control Panel double-click on Add or Remove Programs...

Afterwards,
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 gnomixa

gnomixa
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 23 April 2010 - 06:43 PM

thanks for the tip. It's the guys in the shop that did that (i only had avg running) and they installed MS anti virus, I first had Alureon virus and took the pc to the shop to get fixed. After getting it back i noticed this hijack thing.


anyways, you can close this topic. i reformatted, and now it's gone, reformatting was preferred for me as looking at average replies here, I realize it could take 4-5 days to get a first reply than some ppl had this saga continue for 2-3 more weeks. Reformat took 30 minutes.

I realize you guys all are volunteers but I can't possibly wait that long for the first reply. My pc was due reformat anyways.



#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:39 PM

Posted 24 April 2010 - 10:04 AM

Hi again gnomixa!!.. smile.gif.

Thanks for letting us know you decided to reformat!..

QUOTE(gnomixa @ Apr 24 2010, 01:43 AM) View Post
It's the guys in the shop that did that (i only had avg running) and they installed MS anti virus, I first had Alureon virus and took the pc to the shop to get fixed. After getting it back i noticed this hijack thing.

Alureon is the name of the rootkit infection you were dealing with - it causes search engine redirects... And it means that guy in the shop could not fix it!!.. On the one hand, he should have cleaned that infection if he was paid... On the other hand, though, this infection is very complex - it hides well and may be hard to remove (or quite easy if you know what to do)...

QUOTE
reformatting was preferred for me as looking at average replies here, I realize it could take 4-5 days to get a first reply than some ppl had this saga continue for 2-3 more weeks. Reformat took 30 minutes.

I realize you guys all are volunteers but I can't possibly wait that long for the first reply. My pc was due reformat anyways.

Reformat was a good choice - you know you have a clean system now... Just secure it well and remember about updating programs, and everything should be fine!.. thumbup2.gif
When it comes to waiting for a reply - we do have a limited number of Helpers (and as you noticed we're all volunteers), and more than 200 logs awaiting a reply - users have to wait, we cannot do more...

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. thumbup2.gif

Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:39 PM

Posted 13 May 2010 - 12:17 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users