Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit TDL4 removed (?)- Am I safe now?


  • Please log in to reply
2 replies to this topic

#1 Miekan

Miekan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 19 December 2010 - 11:12 AM

Hello, while surfing the web last week, my computer got infected with some trojans (a.o. TR/FakeAV.AF), one of them installing HDD Rescue on my computer. Meanwhile I was continuely prompted with fake warnings like ‘a critical error has occured while indexing data stored on harddrive. System restart required’ and ‘Damaged hard drive clusters detected. Private data is at risk’. The trojans at some point even seemed to take over (?) my Avira, or made a copy of it, I am not sure. After a lot of hassle I managed to manually remove HDD Rescue, but by this time (fake?)Avira was running fake system scans which only took about 10 minutes instead of ca. 1 hour.

I started my computer in safemode, deleted my TEMP-folder, de-installed Avira, tried to install it again, but after re-installation it would not let me run system scans (also not in Normal mode).
Installing AVG was somehow impossible, so I downloaded MBAM and it found the following:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bkaqoqocefuw (Trojan.Agent.U) -> Value: Bkaqoqocefuw -> Quarantined and deleted successfully.
  • c:\Users\Miek\AppData\Local\Temp\err.log101561112 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
  • c:\Users\Miek\AppData\Roaming\Adobe\plugs\kb101623450.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • c:\Users\Miek\AppData\Roaming\Adobe\plugs\kb101662591.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • c:\Users\Miek\AppData\Local\Nlnhib.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

After that, I was able to install AVG and it found nothing, apart from some tracking cookies.

However, when using Google in Firefox, i suddenly had redirects to Malware sites!
Also, my computer was really slow, calculating like mad when closing down.
Besides, while starting up, I once got a bluescreen of death (I did not take a picture, unfortunately)
And I also got a strange login screen, where I could only enter a nameless useraccount, while my two normal accounts had disapeared.
This went away after restarting.

AVG and MBAM found nothing, so I tried TDSS Killer, and it found a TDL4 Rootkit, I had it removed a couple of hours ago,
and my computer seems to be doing fine. After that, I also ran HitmanPro3.5, it only found some tracking cookies.

TDSS Killer keeps finding a suspicious file:
C:\Windows\System32\Drivers\sptd.sys

Is this dangerous? Can I remove it?


Here is my GMER log:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-19 15:54:16
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3320620AS rev.3.ADG
Running: mp1lwpxk.exe; Driver: C:\Users\Miek\AppData\Local\Temp\fwtdqpod.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C181F8
Device \Driver\atapi \Device\Ide\IdePort0 84C181F8
Device \Driver\atapi \Device\Ide\IdePort1 84C181F8
Device \Driver\atapi \Device\Ide\IdePort2 84C181F8
Device \Driver\atapi \Device\Ide\IdePort3 84C181F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84C181F8
Device \FileSystem\Ntfs \Ntfs 84C191F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\fastfat \Fat 85EE7500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Bestandssysteemfilterbeheer/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


I just want to be sure that my system is clean again, because I am worried about my privacy and the safety of my files.
As you have probably concluded after reading the above, I am not a whizzkid, but I followed up some of the advices given to others on different forums. Any help or reassurance would be greatly appreciated! Thank you in advance!
:orange:

BC AdBot (Login to Remove)

 


#2 Miekan

Miekan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 19 December 2010 - 12:44 PM

Update: Now DEP has closed Windows Installer, it didn't say why, and Windows Updater is telling me there is 1 important update, but this update does not seem to have a name or any more information to it, it looks strange to me, as I already installed 2 important updates today which did have additional information. A couple of days ago I noticed in my toolbar two icons of Windows Updater at the same time! Both were saying there were updates. Seems suspicious to me....

#3 Miekan

Miekan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 19 December 2010 - 01:03 PM

And MBAM has just found a rogue agent in a registry value! Seems I am not done yet :wacko:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users