Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange behavior after TDSS.TDL4 rootkit/Virtumunde/koobface attempted removal


  • This topic is locked This topic is locked
2 replies to this topic

#1 et1swcnet

et1swcnet

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 14 December 2010 - 02:27 AM

I have a client who brought me their Dell Dimension 2400 desktop for a virus removal. Normally I don't have any problems getting a machine cleaned up and back to business, but this has me stumped.

When the machine was first brought to me, I used UBCD4WIN to scan for malware with Spybot S&D. After updating and scanning with SB S&D, Virtumunde was found along with the koobface worm. Both seemed to be removed with the scan. After removing the UBCD disk and rebooting the computer, I attempted to go online, and a popup occurred notifying of a $1,000.00 Walmart gift card. Also, any Google search got redirected to crazy sites...

I downloaded ComboFix, and scanned. It found TDL3 rootkit. I removed ComboFix and all logs. Rebooted machine. Browser still hijacked. Downloaded SB S&D and installed on infected machine. After update and scan, the program found no infection. Machine already had MBAM installed, so updated and scanned with MBAM, found nothing. Used my computer to search for Google Redirect Virus, and found information regarding TDSSKiller, downloaded it and it found TDSS.TDL4, and I made sure "Cure" was selected, and allowed TDSSKiller to do its thing.

I then put ComboFix back on the "infected" machine, and attempted a scan. It came back clear, so I uninstalled CF and deleted all logs.

I was going to install Comodo Internet Security (CIS) on the machine. After downloading and installing CIS, the machine reboots, and Windows installer starts trying to modify another program, namely "The Print Shop 22." Also CIS will not update the antivirus database.

After uninstalling CIS, and rebooting the computer, Windows installer does not try to modify The Print Shop 22 anymore, but reinstalling CIS causes this strange behavior again. I am certain that there is a registry key that is causing this problem, and have a feeling that this machine is not clean yet. Any help will be appreciated. I am attaching DDS logs, defogger log, and GMER log with this post.


What to do next?

Attached File  DDS.txt   5.75KB   3 downloads
Attached File  Attach.txt   10.18KB   1 downloads
Attached File  ark.txt   963bytes   2 downloads
Attached File  defogger_disable.log   472bytes   1 downloads

Regards,

ET1

Edit: Moved topic from XP to the more appropriate forum. ~ Animal
Edit: Sorry about the initial wrong forum post. ~ ET1

Edited by et1swcnet, 14 December 2010 - 05:21 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:55 PM

Posted 23 December 2010 - 09:13 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 03 January 2011 - 04:08 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users