Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit removal doesn't work


  • Please log in to reply
5 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:05:43 PM

Posted 25 May 2010 - 11:36 PM

I did a malwarebytes scan today and it found several infected files. I deleted them and restarted my computer as the program advised me to do so.

Then I ran TDSSkiller and it found that my atapi driver was infected with a TDSS rootkit. Apparently I have the re-directing virus on google searches cause it started occurring today.

I did a restart to remove the rootkit, but when I restarted, I opened the program again and it still detected the rootkit, and it wouldn't let me restart my computer this time to remove it, it just said that I still had the rootkit on my computer.

What should I do now? I have no idea what to do from here, but it doesn't seem like my computer has any other problems since I can still open malwarebytes fine and all my other programs, but it doesn't detect anything on MB now either. I have the log files from both TDSSkiller and Mb, but I don't know how to attach files.

Can someone help me?

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 25 May 2010 - 11:49 PM

Please follow these instructions:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:05:43 PM

Posted 25 May 2010 - 11:56 PM

Here's my malwarebytes log from today when I had the infections:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

5/25/2010 5:29:45 PM
mbam-log-2010-05-25 (17-29-45).txt

Scan type: Quick scan
Objects scanned: 138343
Time elapsed: 14 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mike\Local Settings\Temp\4DBC.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4DBE.tmp (Rootkit.TDSS.Gen) -> Delete on reboot.







Now here is the TDSS killer first log that was supposed to deleted the rootkit on restart:

23:41:53:125 4876 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
23:41:53:125 4876 ================================================================================
23:41:53:125 4876 SystemInfo:

23:41:53:125 4876 OS Version: 5.1.2600 ServicePack: 2.0
23:41:53:125 4876 Product type: Workstation
23:41:53:125 4876 ComputerName: MIKE-A25D958F62
23:41:53:125 4876 UserName: Mike
23:41:53:125 4876 Windows directory: C:\WINDOWS
23:41:53:125 4876 Processor architecture: Intel x86
23:41:53:125 4876 Number of processors: 2
23:41:53:125 4876 Page size: 0x1000
23:41:53:156 4876 Boot type: Normal boot
23:41:53:156 4876 ================================================================================
23:41:53:250 4876 UnloadDriverW: NtUnloadDriver error 2
23:41:53:250 4876 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:41:53:437 4876 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:41:53:437 4876 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:41:53:437 4876 wfopen_ex: Trying to KLMD file open
23:41:53:437 4876 wfopen_ex: File opened ok (Flags 2)
23:41:53:437 4876 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:41:53:437 4876 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:41:53:437 4876 wfopen_ex: Trying to KLMD file open
23:41:53:437 4876 wfopen_ex: File opened ok (Flags 2)
23:41:53:437 4876 Initialize success
23:41:53:437 4876
23:41:53:437 4876 Scanning Services ...
23:41:54:109 4876 GetAdvancedServicesInfo: Raw services enum returned 373 services
23:41:54:125 4876
23:41:54:125 4876 Scanning Kernel memory ...
23:41:54:125 4876 Devices to scan: 8
23:41:54:125 4876
23:41:54:125 4876 Driver Name: Disk
23:41:54:125 4876 IRP_MJ_CREATE : BA91EC30
23:41:54:125 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:125 4876 IRP_MJ_CLOSE : BA91EC30
23:41:54:125 4876 IRP_MJ_READ : BA918D9B
23:41:54:125 4876 IRP_MJ_WRITE : BA918D9B
23:41:54:125 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:125 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:125 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:125 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:125 4876 IRP_MJ_FLUSH_BUFFERS : BA919366
23:41:54:125 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:125 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:125 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:125 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:125 4876 IRP_MJ_DEVICE_CONTROL : BA91944D
23:41:54:125 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3
23:41:54:125 4876 IRP_MJ_SHUTDOWN : BA919366
23:41:54:125 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:125 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:125 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:125 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:125 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:125 4876 IRP_MJ_POWER : BA91AEF3
23:41:54:125 4876 IRP_MJ_SYSTEM_CONTROL : BA91FA24
23:41:54:125 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:125 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:125 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:156 4876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:41:54:156 4876
23:41:54:156 4876 Driver Name: usbstor
23:41:54:156 4876 IRP_MJ_CREATE : BAC1D218
23:41:54:156 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:156 4876 IRP_MJ_CLOSE : BAC1D218
23:41:54:156 4876 IRP_MJ_READ : BAC1D23C
23:41:54:156 4876 IRP_MJ_WRITE : BAC1D23C
23:41:54:156 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:156 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:156 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:156 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:156 4876 IRP_MJ_FLUSH_BUFFERS : 804F4476
23:41:54:156 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:156 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:156 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:156 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:156 4876 IRP_MJ_DEVICE_CONTROL : BAC1D180
23:41:54:156 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC189E6
23:41:54:156 4876 IRP_MJ_SHUTDOWN : 804F4476
23:41:54:156 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:156 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:156 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:156 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:156 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:156 4876 IRP_MJ_POWER : BAC1C5F0
23:41:54:156 4876 IRP_MJ_SYSTEM_CONTROL : BAC1AA6E
23:41:54:156 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:156 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:156 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:218 4876 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:41:54:218 4876
23:41:54:218 4876 Driver Name: Disk
23:41:54:218 4876 IRP_MJ_CREATE : BA91EC30
23:41:54:218 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:218 4876 IRP_MJ_CLOSE : BA91EC30
23:41:54:218 4876 IRP_MJ_READ : BA918D9B
23:41:54:218 4876 IRP_MJ_WRITE : BA918D9B
23:41:54:218 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:218 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:218 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:218 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:218 4876 IRP_MJ_FLUSH_BUFFERS : BA919366
23:41:54:218 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:218 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:218 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:218 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:218 4876 IRP_MJ_DEVICE_CONTROL : BA91944D
23:41:54:218 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3
23:41:54:218 4876 IRP_MJ_SHUTDOWN : BA919366
23:41:54:218 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:218 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:218 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:218 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:218 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:218 4876 IRP_MJ_POWER : BA91AEF3
23:41:54:218 4876 IRP_MJ_SYSTEM_CONTROL : BA91FA24
23:41:54:218 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:218 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:218 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:234 4876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:41:54:234 4876
23:41:54:234 4876 Driver Name: Disk
23:41:54:234 4876 IRP_MJ_CREATE : BA91EC30
23:41:54:234 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:234 4876 IRP_MJ_CLOSE : BA91EC30
23:41:54:234 4876 IRP_MJ_READ : BA918D9B
23:41:54:234 4876 IRP_MJ_WRITE : BA918D9B
23:41:54:234 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:234 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:234 4876 IRP_MJ_FLUSH_BUFFERS : BA919366
23:41:54:234 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_DEVICE_CONTROL : BA91944D
23:41:54:234 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3
23:41:54:234 4876 IRP_MJ_SHUTDOWN : BA919366
23:41:54:234 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:234 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:234 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:234 4876 IRP_MJ_POWER : BA91AEF3
23:41:54:234 4876 IRP_MJ_SYSTEM_CONTROL : BA91FA24
23:41:54:234 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:234 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:234 4876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:41:54:234 4876
23:41:54:234 4876 Driver Name: usbstor
23:41:54:234 4876 IRP_MJ_CREATE : BAC1D218
23:41:54:234 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:234 4876 IRP_MJ_CLOSE : BAC1D218
23:41:54:234 4876 IRP_MJ_READ : BAC1D23C
23:41:54:234 4876 IRP_MJ_WRITE : BAC1D23C
23:41:54:234 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:234 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:234 4876 IRP_MJ_FLUSH_BUFFERS : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:234 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_DEVICE_CONTROL : BAC1D180
23:41:54:234 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC189E6
23:41:54:234 4876 IRP_MJ_SHUTDOWN : 804F4476
23:41:54:234 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:234 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:234 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:234 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:234 4876 IRP_MJ_POWER : BAC1C5F0
23:41:54:234 4876 IRP_MJ_SYSTEM_CONTROL : BAC1AA6E
23:41:54:234 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:234 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:234 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:234 4876 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:41:54:250 4876
23:41:54:250 4876 Driver Name: usbstor
23:41:54:250 4876 IRP_MJ_CREATE : BAC1D218
23:41:54:250 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:250 4876 IRP_MJ_CLOSE : BAC1D218
23:41:54:250 4876 IRP_MJ_READ : BAC1D23C
23:41:54:250 4876 IRP_MJ_WRITE : BAC1D23C
23:41:54:250 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:250 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:250 4876 IRP_MJ_FLUSH_BUFFERS : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_DEVICE_CONTROL : BAC1D180
23:41:54:250 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC189E6
23:41:54:250 4876 IRP_MJ_SHUTDOWN : 804F4476
23:41:54:250 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:250 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:250 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:250 4876 IRP_MJ_POWER : BAC1C5F0
23:41:54:250 4876 IRP_MJ_SYSTEM_CONTROL : BAC1AA6E
23:41:54:250 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:250 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:250 4876 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:41:54:250 4876
23:41:54:250 4876 Driver Name: Disk
23:41:54:250 4876 IRP_MJ_CREATE : BA91EC30
23:41:54:250 4876 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:41:54:250 4876 IRP_MJ_CLOSE : BA91EC30
23:41:54:250 4876 IRP_MJ_READ : BA918D9B
23:41:54:250 4876 IRP_MJ_WRITE : BA918D9B
23:41:54:250 4876 IRP_MJ_QUERY_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_SET_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_EA : 804F4476
23:41:54:250 4876 IRP_MJ_SET_EA : 804F4476
23:41:54:250 4876 IRP_MJ_FLUSH_BUFFERS : BA919366
23:41:54:250 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:41:54:250 4876 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_DEVICE_CONTROL : BA91944D
23:41:54:250 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CFC3
23:41:54:250 4876 IRP_MJ_SHUTDOWN : BA919366
23:41:54:250 4876 IRP_MJ_LOCK_CONTROL : 804F4476
23:41:54:250 4876 IRP_MJ_CLEANUP : 804F4476
23:41:54:250 4876 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_SECURITY : 804F4476
23:41:54:250 4876 IRP_MJ_SET_SECURITY : 804F4476
23:41:54:250 4876 IRP_MJ_POWER : BA91AEF3
23:41:54:250 4876 IRP_MJ_SYSTEM_CONTROL : BA91FA24
23:41:54:250 4876 IRP_MJ_DEVICE_CHANGE : 804F4476
23:41:54:250 4876 IRP_MJ_QUERY_QUOTA : 804F4476
23:41:54:250 4876 IRP_MJ_SET_QUOTA : 804F4476
23:41:54:250 4876 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:41:54:250 4876
23:41:54:250 4876 Driver Name: atapi
23:41:54:250 4876 IRP_MJ_CREATE : 8A49BD01
23:41:54:250 4876 IRP_MJ_CREATE_NAMED_PIPE : 8A49BD01
23:41:54:250 4876 IRP_MJ_CLOSE : 8A49BD01
23:41:54:250 4876 IRP_MJ_READ : 8A49BD01
23:41:54:250 4876 IRP_MJ_WRITE : 8A49BD01
23:41:54:250 4876 IRP_MJ_QUERY_INFORMATION : 8A49BD01
23:41:54:250 4876 IRP_MJ_SET_INFORMATION : 8A49BD01
23:41:54:250 4876 IRP_MJ_QUERY_EA : 8A49BD01
23:41:54:250 4876 IRP_MJ_SET_EA : 8A49BD01
23:41:54:250 4876 IRP_MJ_FLUSH_BUFFERS : 8A49BD01
23:41:54:250 4876 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A49BD01
23:41:54:250 4876 IRP_MJ_SET_VOLUME_INFORMATION : 8A49BD01
23:41:54:265 4876 IRP_MJ_DIRECTORY_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_FILE_SYSTEM_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_DEVICE_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_SHUTDOWN : 8A49BD01
23:41:54:265 4876 IRP_MJ_LOCK_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_CLEANUP : 8A49BD01
23:41:54:265 4876 IRP_MJ_CREATE_MAILSLOT : 8A49BD01
23:41:54:265 4876 IRP_MJ_QUERY_SECURITY : 8A49BD01
23:41:54:265 4876 IRP_MJ_SET_SECURITY : 8A49BD01
23:41:54:265 4876 IRP_MJ_POWER : 8A49BD01
23:41:54:265 4876 IRP_MJ_SYSTEM_CONTROL : 8A49BD01
23:41:54:265 4876 IRP_MJ_DEVICE_CHANGE : 8A49BD01
23:41:54:265 4876 IRP_MJ_QUERY_QUOTA : 8A49BD01
23:41:54:265 4876 IRP_MJ_SET_QUOTA : 8A49BD01
23:41:54:265 4876 Driver "atapi" infected by TDSS rootkit!
23:41:54:281 4876 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
23:41:54:281 4876 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 23:41:54:281 4876 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
23:41:54:281 4876 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
23:41:54:906 4876 vfvi6
23:41:55:046 4876 !dsvbh1
23:42:05:359 4876 dsvbh2
23:42:05:359 4876 fdfb2
23:42:05:359 4876 Backup copy found, using it..
23:42:05:421 4876 will be cured on next reboot
23:42:05:421 4876 Reboot required for cure complete..
23:42:05:437 4876 Cure on reboot scheduled successfully
23:42:05:437 4876
23:42:05:437 4876 Completed
23:42:05:437 4876
23:42:05:437 4876 Results:
23:42:05:437 4876 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:42:05:437 4876 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:42:05:437 4876 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:42:05:437 4876
23:42:05:437 4876 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:42:05:437 4876 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:42:05:437 4876 UnloadDriverW: NtUnloadDriver error 1
23:42:05:437 4876 KLMD_Unload: UnloadDriverW(klmd21) error 1
23:42:05:437 4876 KLMD(ARK) unloaded successfully






And here is the last scan that just says i'm infected:

00:11:56:923 5100 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
00:11:56:923 5100 ================================================================================
00:11:56:923 5100 SystemInfo:

00:11:56:923 5100 OS Version: 5.1.2600 ServicePack: 2.0
00:11:56:923 5100 Product type: Workstation
00:11:56:923 5100 ComputerName: MIKE-A25D958F62
00:11:56:923 5100 UserName: Mike
00:11:56:923 5100 Windows directory: C:\WINDOWS
00:11:56:923 5100 Processor architecture: Intel x86
00:11:56:923 5100 Number of processors: 2
00:11:56:923 5100 Page size: 0x1000
00:11:56:923 5100 Boot type: Normal boot
00:11:56:923 5100 ================================================================================
00:11:56:939 5100 UnloadDriverW: NtUnloadDriver error 1
00:11:56:939 5100 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
00:11:56:939 5100 LoadDriverW: Driver already loaded
00:11:56:939 5100 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
00:11:56:939 5100 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
00:11:56:939 5100 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:11:56:939 5100 wfopen_ex: Trying to KLMD file open
00:11:56:939 5100 wfopen_ex: File opened ok (Flags 2)
00:11:56:939 5100 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
00:11:56:939 5100 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:11:56:939 5100 wfopen_ex: Trying to KLMD file open
00:11:56:939 5100 wfopen_ex: File opened ok (Flags 2)
00:11:56:939 5100 Initialize success
00:11:56:939 5100
00:11:56:939 5100 Scanning Services ...
00:11:57:439 5100 GetAdvancedServicesInfo: Raw services enum returned 373 services
00:11:57:439 5100
00:11:57:439 5100 Scanning Kernel memory ...
00:11:57:439 5100 Devices to scan: 6
00:11:57:439 5100
00:11:57:439 5100 Driver Name: Disk
00:11:57:439 5100 IRP_MJ_CREATE : BA90EC30
00:11:57:439 5100 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
00:11:57:439 5100 IRP_MJ_CLOSE : BA90EC30
00:11:57:439 5100 IRP_MJ_READ : BA908D9B
00:11:57:439 5100 IRP_MJ_WRITE : BA908D9B
00:11:57:439 5100 IRP_MJ_QUERY_INFORMATION : 804F4476
00:11:57:439 5100 IRP_MJ_SET_INFORMATION : 804F4476
00:11:57:439 5100 IRP_MJ_QUERY_EA : 804F4476
00:11:57:439 5100 IRP_MJ_SET_EA : 804F4476
00:11:57:439 5100 IRP_MJ_FLUSH_BUFFERS : BA909366
00:11:57:439 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
00:11:57:439 5100 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
00:11:57:439 5100 IRP_MJ_DIRECTORY_CONTROL : 804F4476
00:11:57:439 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
00:11:57:439 5100 IRP_MJ_DEVICE_CONTROL : BA90944D
00:11:57:439 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
00:11:57:439 5100 IRP_MJ_SHUTDOWN : BA909366
00:11:57:439 5100 IRP_MJ_LOCK_CONTROL : 804F4476
00:11:57:439 5100 IRP_MJ_CLEANUP : 804F4476
00:11:57:439 5100 IRP_MJ_CREATE_MAILSLOT : 804F4476
00:11:57:439 5100 IRP_MJ_QUERY_SECURITY : 804F4476
00:11:57:439 5100 IRP_MJ_SET_SECURITY : 804F4476
00:11:57:439 5100 IRP_MJ_POWER : BA90AEF3
00:11:57:439 5100 IRP_MJ_SYSTEM_CONTROL : BA90FA24
00:11:57:439 5100 IRP_MJ_DEVICE_CHANGE : 804F4476
00:11:57:439 5100 IRP_MJ_QUERY_QUOTA : 804F4476
00:11:57:439 5100 IRP_MJ_SET_QUOTA : 804F4476
00:11:57:455 5100 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:11:57:455 5100
00:11:57:455 5100 Driver Name: Disk
00:11:57:455 5100 IRP_MJ_CREATE : BA90EC30
00:11:57:455 5100 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
00:11:57:455 5100 IRP_MJ_CLOSE : BA90EC30
00:11:57:455 5100 IRP_MJ_READ : BA908D9B
00:11:57:455 5100 IRP_MJ_WRITE : BA908D9B
00:11:57:455 5100 IRP_MJ_QUERY_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_SET_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_EA : 804F4476
00:11:57:455 5100 IRP_MJ_SET_EA : 804F4476
00:11:57:455 5100 IRP_MJ_FLUSH_BUFFERS : BA909366
00:11:57:455 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_DIRECTORY_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_DEVICE_CONTROL : BA90944D
00:11:57:455 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
00:11:57:455 5100 IRP_MJ_SHUTDOWN : BA909366
00:11:57:455 5100 IRP_MJ_LOCK_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_CLEANUP : 804F4476
00:11:57:455 5100 IRP_MJ_CREATE_MAILSLOT : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_SECURITY : 804F4476
00:11:57:455 5100 IRP_MJ_SET_SECURITY : 804F4476
00:11:57:455 5100 IRP_MJ_POWER : BA90AEF3
00:11:57:455 5100 IRP_MJ_SYSTEM_CONTROL : BA90FA24
00:11:57:455 5100 IRP_MJ_DEVICE_CHANGE : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_QUOTA : 804F4476
00:11:57:455 5100 IRP_MJ_SET_QUOTA : 804F4476
00:11:57:455 5100 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:11:57:455 5100
00:11:57:455 5100 Driver Name: usbstor
00:11:57:455 5100 IRP_MJ_CREATE : BAC1D218
00:11:57:455 5100 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
00:11:57:455 5100 IRP_MJ_CLOSE : BAC1D218
00:11:57:455 5100 IRP_MJ_READ : BAC1D23C
00:11:57:455 5100 IRP_MJ_WRITE : BAC1D23C
00:11:57:455 5100 IRP_MJ_QUERY_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_SET_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_EA : 804F4476
00:11:57:455 5100 IRP_MJ_SET_EA : 804F4476
00:11:57:455 5100 IRP_MJ_FLUSH_BUFFERS : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
00:11:57:455 5100 IRP_MJ_DIRECTORY_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_DEVICE_CONTROL : BAC1D180
00:11:57:455 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC189E6
00:11:57:455 5100 IRP_MJ_SHUTDOWN : 804F4476
00:11:57:455 5100 IRP_MJ_LOCK_CONTROL : 804F4476
00:11:57:455 5100 IRP_MJ_CLEANUP : 804F4476
00:11:57:455 5100 IRP_MJ_CREATE_MAILSLOT : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_SECURITY : 804F4476
00:11:57:455 5100 IRP_MJ_SET_SECURITY : 804F4476
00:11:57:455 5100 IRP_MJ_POWER : BAC1C5F0
00:11:57:455 5100 IRP_MJ_SYSTEM_CONTROL : BAC1AA6E
00:11:57:455 5100 IRP_MJ_DEVICE_CHANGE : 804F4476
00:11:57:455 5100 IRP_MJ_QUERY_QUOTA : 804F4476
00:11:57:455 5100 IRP_MJ_SET_QUOTA : 804F4476
00:11:57:470 5100 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
00:11:57:470 5100
00:11:57:470 5100 Driver Name: usbstor
00:11:57:470 5100 IRP_MJ_CREATE : BAC1D218
00:11:57:470 5100 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
00:11:57:470 5100 IRP_MJ_CLOSE : BAC1D218
00:11:57:470 5100 IRP_MJ_READ : BAC1D23C
00:11:57:470 5100 IRP_MJ_WRITE : BAC1D23C
00:11:57:470 5100 IRP_MJ_QUERY_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_SET_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_EA : 804F4476
00:11:57:470 5100 IRP_MJ_SET_EA : 804F4476
00:11:57:470 5100 IRP_MJ_FLUSH_BUFFERS : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_DIRECTORY_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_DEVICE_CONTROL : BAC1D180
00:11:57:470 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : BAC189E6
00:11:57:470 5100 IRP_MJ_SHUTDOWN : 804F4476
00:11:57:470 5100 IRP_MJ_LOCK_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_CLEANUP : 804F4476
00:11:57:470 5100 IRP_MJ_CREATE_MAILSLOT : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_SECURITY : 804F4476
00:11:57:470 5100 IRP_MJ_SET_SECURITY : 804F4476
00:11:57:470 5100 IRP_MJ_POWER : BAC1C5F0
00:11:57:470 5100 IRP_MJ_SYSTEM_CONTROL : BAC1AA6E
00:11:57:470 5100 IRP_MJ_DEVICE_CHANGE : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_QUOTA : 804F4476
00:11:57:470 5100 IRP_MJ_SET_QUOTA : 804F4476
00:11:57:470 5100 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
00:11:57:470 5100
00:11:57:470 5100 Driver Name: Disk
00:11:57:470 5100 IRP_MJ_CREATE : BA90EC30
00:11:57:470 5100 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
00:11:57:470 5100 IRP_MJ_CLOSE : BA90EC30
00:11:57:470 5100 IRP_MJ_READ : BA908D9B
00:11:57:470 5100 IRP_MJ_WRITE : BA908D9B
00:11:57:470 5100 IRP_MJ_QUERY_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_SET_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_EA : 804F4476
00:11:57:470 5100 IRP_MJ_SET_EA : 804F4476
00:11:57:470 5100 IRP_MJ_FLUSH_BUFFERS : BA909366
00:11:57:470 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
00:11:57:470 5100 IRP_MJ_DIRECTORY_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_DEVICE_CONTROL : BA90944D
00:11:57:470 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
00:11:57:470 5100 IRP_MJ_SHUTDOWN : BA909366
00:11:57:470 5100 IRP_MJ_LOCK_CONTROL : 804F4476
00:11:57:470 5100 IRP_MJ_CLEANUP : 804F4476
00:11:57:470 5100 IRP_MJ_CREATE_MAILSLOT : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_SECURITY : 804F4476
00:11:57:470 5100 IRP_MJ_SET_SECURITY : 804F4476
00:11:57:470 5100 IRP_MJ_POWER : BA90AEF3
00:11:57:470 5100 IRP_MJ_SYSTEM_CONTROL : BA90FA24
00:11:57:470 5100 IRP_MJ_DEVICE_CHANGE : 804F4476
00:11:57:470 5100 IRP_MJ_QUERY_QUOTA : 804F4476
00:11:57:470 5100 IRP_MJ_SET_QUOTA : 804F4476
00:11:57:486 5100 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:11:57:486 5100
00:11:57:486 5100 Driver Name: atapi
00:11:57:486 5100 IRP_MJ_CREATE : 8A493D01
00:11:57:486 5100 IRP_MJ_CREATE_NAMED_PIPE : 8A493D01
00:11:57:486 5100 IRP_MJ_CLOSE : 8A493D01
00:11:57:486 5100 IRP_MJ_READ : 8A493D01
00:11:57:486 5100 IRP_MJ_WRITE : 8A493D01
00:11:57:486 5100 IRP_MJ_QUERY_INFORMATION : 8A493D01
00:11:57:486 5100 IRP_MJ_SET_INFORMATION : 8A493D01
00:11:57:486 5100 IRP_MJ_QUERY_EA : 8A493D01
00:11:57:486 5100 IRP_MJ_SET_EA : 8A493D01
00:11:57:486 5100 IRP_MJ_FLUSH_BUFFERS : 8A493D01
00:11:57:486 5100 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A493D01
00:11:57:486 5100 IRP_MJ_SET_VOLUME_INFORMATION : 8A493D01
00:11:57:486 5100 IRP_MJ_DIRECTORY_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_FILE_SYSTEM_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_DEVICE_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_SHUTDOWN : 8A493D01
00:11:57:486 5100 IRP_MJ_LOCK_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_CLEANUP : 8A493D01
00:11:57:486 5100 IRP_MJ_CREATE_MAILSLOT : 8A493D01
00:11:57:486 5100 IRP_MJ_QUERY_SECURITY : 8A493D01
00:11:57:486 5100 IRP_MJ_SET_SECURITY : 8A493D01
00:11:57:486 5100 IRP_MJ_POWER : 8A493D01
00:11:57:486 5100 IRP_MJ_SYSTEM_CONTROL : 8A493D01
00:11:57:486 5100 IRP_MJ_DEVICE_CHANGE : 8A493D01
00:11:57:486 5100 IRP_MJ_QUERY_QUOTA : 8A493D01
00:11:57:486 5100 IRP_MJ_SET_QUOTA : 8A493D01
00:11:57:486 5100 Driver "atapi" infected by TDSS rootkit!
00:11:57:486 5100 C:\WINDOWS\system32\drivers\tskF.tmp - Verdict: 3
00:11:57:486 5100
00:11:57:486 5100 Completed
00:11:57:486 5100
00:11:57:486 5100 Results:
00:11:57:486 5100 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
00:11:57:486 5100 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:11:57:486 5100 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:11:57:486 5100
00:11:57:486 5100 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
00:11:57:486 5100 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
00:11:57:486 5100 UnloadDriverW: NtUnloadDriver error 1
00:11:57:486 5100 KLMD_Unload: UnloadDriverW(klmd21) error 1
00:11:57:486 5100 KLMD(ARK) unloaded successfully


BTW, I actually ran TDSS killer again when I restarted my computer the first time and it said I could restart again, but I hit "N to continue" since I was still starting up programs like AIM/MSN and then after I tried running it again and it wouldn't give me the option to restart.

Edited by Nawtheasta, 25 May 2010 - 11:57 PM.


#4 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:05:43 PM

Posted 26 May 2010 - 01:23 AM

I just ran superantispyware and it found a couple of things, I restarted my computer, ran TDSSkiller again, it found the same rootkit, I restarted my computer yet again after that, and it still says it's on there. I'm clueless as to what I should do at this point.

Also, my theme for my computer has somehow gone back to windows classic style, which started earlier today when I first found all the stuff on malwarebytes. Not sure if that has to do with the rootkit though.

I also ran my computer in safe mode just a few minutes ago, and it didn't detect anything in terms of rootkits, but it did detect the atapi driver being affected in a regular boot mode.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 26 May 2010 - 04:31 PM

Hello Nawtheasta,

To restate what Budapest said in a different way. The infection you have requires specialized tools to remove that are not allowed in this forum. Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues.

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:05:43 PM

Posted 26 May 2010 - 05:09 PM

Hi Orange Blossom
Thanks for your reply. This is actually my sons Dell laptop ( XP, SP2. )
He decided early today to do a repair install. He is telling me that this seems to have fixed the problem. So for now I guess we will be all set. Thank you again for your reply and for all you do to help people with their problems
Best Regards
Nawtheasta




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users