Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware infection and browser hijack


  • This topic is locked This topic is locked
15 replies to this topic

#1 HeeHaw5130

HeeHaw5130

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 08 June 2010 - 03:35 PM

Hi. I'm having problems with a malware infection that's been going on for the past week or so that I can't seem to get rid of no matter what I do.

I think it had something to do with the trojan my Avast 5 (free version) scanner picked up about a week ago. It listed the detection as "Win32:Trojan-gen" and the infection was removed afterwards. But I'm still having multiple problems, and I can only guess that it may be the result of the trojan's payload. My IE7 browser is all but crippled, and when it's not, I get anywhere from one to three different tabs opening up directing me to various and seemingly random websites. It's gotten so bad to where I had to install Firefox (not that it's a bad thing, or anything), and it seems that browser isn't immune either.

Besides the browser, I experience random lockups once in a while, but what happens more often is that at some point I can't seem to open any more legitimate programs or files. The mouse cursor shows the hourglass for a moment, disappears and then nothing. After that I always end up hitting the reset button on the computer since I can't even restart it within Windows anymore. It seems my Google searches are also being hijacked as well (had to manually copy and paste URLs while looking for help topics, especially on this site) and I can't get onto the Windows Update website for some mysterious reason. Whatever this is also has a tendency to disable my wireless adapter drivers and open random programs, but that doesn't happen quite often (happened only twice so far). Right now it's taken some sort of fancy with opening OpenOffice Writer and Acrobat Reader.

The final straw came today, when it randomly blacked out my screen and locked it up with an hourglass cursor. One reset later and it came back to normal.

What I've done so far was two normal full scans with Avast and then a boot-time scan with root-kit scanning. After finding nothing, I used Trend Micro Housecall and still found nothing. Spybot S&D and Ad-Aware got nothing either, except for a few measly browser cookies.

I'm finally stumped. I'm not sure what kind of prog this is, but I'm hoping it isn't also a keylogger or some nasty password stealer. Anyone got any ideas?

Here is my DDS report:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Doug Plemms at 14:19:58.12 on Tue 06/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.471 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Doug Plemms\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [crguspub] c:\documents and settings\Doug Plemms\local settings\application data\mdxxeeiig\rahpgpqtssd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [TI WLAN] c:\program files\wirelwss lan utility\TIWLANCu.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [crguspub] c:\documents and settings\Doug Plemms\local settings\application data\mdxxeeiig\rahpgpqtssd.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264458498000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {9B431D64-C885-46E9-A2CC-633011F90ABC} = 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dougpl~1\applic~1\mozilla\firefox\profiles\p1jarl73.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-16 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-16 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-16 40384]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2010-4-26 438912]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\dougpl~1\locals~1\temp\alsysio.sys --> c:\docume~1\dougpl~1\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-16 40384]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-06-08 06:37:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-08 06:21:43 0 d--h--w- c:\windows\PIF
2010-06-03 14:35:55 0 d-----w- c:\windows\SxsCaPendDel
2010-05-19 23:06:05 0 d-----w- c:\program files\Messenger
2010-05-19 23:05:57 638 ------w- c:\windows\system32\wbem\napclientprov.mof
2010-05-19 23:03:32 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-05-19 23:01:35 19569 ----a-w- c:\windows\002675_.tmp
2010-05-19 22:59:25 0 d-----w- c:\windows\EHome
2010-05-16 23:06:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-30 15:38:55 16384 -csha-w- c:\windows\temp\cookies\index.dat
2010-01-30 15:38:55 32768 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2010-01-30 15:38:55 32768 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:26:04.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 11 June 2010 - 05:28 PM

Hi HeeHaw5130,

Welcome to this forum.

Please do the following if the issues you name are not resolved.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 11 June 2010 - 06:55 PM

Here are the contents of the log file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86913EC5]<<
kernel: MBR read successfully
user & kernel MBR OK

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 11 June 2010 - 07:07 PM

Close all the open windows.
  • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double-click TDLfix.exe to run the tool, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    rasacd


  • The application shall restart the computer immediately. It runs after restart briefly then closes.
  • Tell me if the computer rebooted and ran to completion.


#5 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 11 June 2010 - 07:49 PM

Yes, my computer restarted completely and the program showed a blue window after startup saying it would close shortly.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 11 June 2010 - 08:07 PM

The rootkit is taken care of and we need to remove the rest.
  1. We need to run this tool first:
    • Click RKill.pif to download and save it to your Desktop.
      RKill.pif
      RKill.scr
      RKill.com
      RKill.exe
    • In Windows XP double click the RKill, in Windows Vista right click and select "Run as Administrator".
    • A black screen will briefly flash indicating a successful run.
    • If this does not occur please delete that application and download RKill.scr.
    • Continue process until the tool runs.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 11 June 2010 - 08:19 PM

The file link for RKill.pif gives me a 404 error.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 11 June 2010 - 08:23 PM

It gives me the same. Try the next one. It doesn't matter which one you run.

#9 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 11 June 2010 - 09:02 PM

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/11/2010 9:53:55 PM
mbam-log-2010-06-11 (21-53-55).txt

Scan type: Quick scan
Objects scanned: 126718
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crguspub (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crguspub (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.




How were you able to tell it was a rootkit?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 11 June 2010 - 09:15 PM

QUOTE
How were you able to tell it was a rootkit?

Everything: Redirection, GMER and MBR.exe log. This is TDL\TDSS rootkit. It had patched rasacd.sys and loaded from there. The tool we used replaces the bad file with the legit copy. If you run TDLfix.exe, type mbr and press Enter you will get a different log. The redirection stops also after running the tool.
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.


  3. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  4. Tell me how is your computer running now.


#11 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 11 June 2010 - 10:07 PM

Everything works fine now. I did another MBAM scan just to make sure of things and it didn't find anything this time. Thanks.

Also, TDL/TDSS? I'm not familiar with the term. And was this nothing more than a browser hijack/redirect infection?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 12 June 2010 - 04:45 AM

TDSS/TDL rootkit is more than just a browser hijack/redirect infection. It might block updating Windows by not allowing to connect to MS server or some other servers. It has a black list of the servers. In some cases the users can't upload a full log to this forum. It controls downloads too. The system is at times slower than normal specially in Vista or Windows 7. The system might have malfunction depending on the driver that is patched. It even patches the resident antivirus driver causing AV not to work properly. Some people may get boot problem and in some cases the computer stops booting because the driver that is patched is a hardware controller driver or one of the drivers needed for a successful boot. Since the arise of this infection we have seen a lot of unbootable systems.

It looks good. thumbup2.gif
  1. You may delete any tool or log we used.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.



#13 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 12 June 2010 - 11:22 AM

Yeah, you pretty much hit the nail on everything there. Any idea on what flavor or variant my computer was infected with? I tried googling one of the files that is part of the infection (C\RECYCLER\ADAPT_Installer.exe), but all I can find are others' HJT logs who have had the same problem.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:34 AM

Posted 12 June 2010 - 07:06 PM

Yours is TDL3 rootkit infection. These are some readings about TDL/TDSS:
Tdss rootkit silently owns the net
BackDoor.Tdss.565 and its modifications (aka TDL3)
detection of TDL3 rootkit
[Rootkit] TDL3 – “Why so serious? Let’s put a smile..”
Tidserv and MS10-015

If you have no question we can round off. smile.gif

#15 HeeHaw5130

HeeHaw5130
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 12 June 2010 - 08:30 PM

Wow, very informative resources. Thanks.

Alright, I'm pretty much done here. Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users