Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows discovery trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 HealMePlease

HealMePlease

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 01 May 2011 - 06:51 PM

PC had windows recovery trojan on it.
Followed instructions and ran rkill to kill the process and have manually deleted the windows recovery virus exe file and remeoved the current version\Run registry entry.

Now the problem, there are browser redirects(not as bad as before) and IE script errors. It is constanly popping up with a ie script error message to you want to continue running this script? The url displayed is random and like from ad sites. Please help on removing this rootkit!. I do not want to run combofix without any supervision. That is why I am posting here. Any help would be greatly appreciated.
TDDSKILLER will not run even after renaming it.

Here are some logs.

GMER LOGS
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-29 19:09:02
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: gmer.exe; Driver: C:\DOCUME~1\THEENG~1\LOCALS~1\Temp\pxtdipob.sys


---- System - GMER 1.0.15 ----

SSDT E1CE1538 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F7622BD0 4 Bytes [36, 9A, 4D, 80]
INITc VolSnap.sys F7622BF8 4 Bytes [8C, 87, 4E, 80]
INITc VolSnap.sys F7622C20 4 Bytes [A0, C1, 4D, 80]
INITc VolSnap.sys F7622C48 4 Bytes [B0, C8, 4D, 80]
INITc VolSnap.sys F7622C70 4 Bytes [09, BF, 4D, 80]
INITc ...
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77BA760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB97C5F80]
? C:\WINDOWS\system32\AA.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!HttpAddRequestHeadersA 3D94632F 5 Bytes JMP 00B918D5
.text C:\WINDOWS\Explorer.EXE[1376] WININET.dll!HttpAddRequestHeadersW 3D9AA4C5 5 Bytes JMP 00B91A9D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 89B34E7A
Thread System [4:124] 89B37008

---- EOF - GMER 1.0.15 ----



Here is the MBAM log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6475

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

4/30/2011 12:23:43 AM
mbam-log-2011-04-30 (00-23-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 253163
Time elapsed: 4 hour(s), 37 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\the engels\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\the engels\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\the engels\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

This post has been edited by cjcummings: 29 April 2011 - 11:26 PM

Edited by HealMePlease, 01 May 2011 - 06:56 PM.


BC AdBot (Login to Remove)

 


#2 HealMePlease

HealMePlease
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 02 May 2011 - 01:27 PM

If someone can help please, it would be greatly appreciated. Seeme like it is affecting some other apps such as outlook as well =(

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 02 May 2011 - 02:12 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 AM

Posted 09 May 2011 - 07:52 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 AM

Posted 14 May 2011 - 08:35 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users