Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS.E!RootKit


  • This topic is locked This topic is locked
12 replies to this topic

#1 EX250

EX250

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 21 June 2011 - 02:45 PM

Good afternoon,
After having a PC get hit with the Windows XP Repair & TDSS.E Rootkit, I'm having a hard time getting rid of the rootkit. The suggested TDSSKILLER will not run on the PC, I've tried renaming it before copying it to the desktop, running it from a USB stick, safe mode, etc (rkill has been run with the different scenarios also). TDSSKILLER just doesn't start. I have run Kaspersky Rescue Disk 10 which identified the file C:\Windows\System32\Drivers\volsnap.sys has having the infection. When this file was removed by Kaspersky, the PC would blue screen when booting (normal or safe mode). I restored the image I had created prior to running Kaspersky and am (of course) back with the infection. If I perform a scan using the McAfee A/V that is installed on the PC, it does find the rootkit in volsnap.sys and says it cleaned it, but after reboot, it just comes back.
I am attaching the usual log files. Please let me know what additional information I can provide.

Thank you in advance for the assistance.
Brett

Contents of the dds.txt file
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mazurski at 14:30:09 on 2011-06-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.497 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\BOSSDE\DEClntNT.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.simsbury-ct.gov/
uInternet Settings,ProxyOverride = 10.8.16.*; 10.8.17.154;<local>
uInternet Settings,ProxyServer = 10.1.34.158:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{B681A46F-17DC-4911-8544-404E934DB64C} : NameServer = 10.8.16.9,10.1.16.51
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-22 343664]
R2 DEClntService;BOSS DiagWin Client;c:\bossde\DEClntNT.exe [2006-1-10 483328]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-10-15 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-9-29 70728]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-22 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-22 43288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-20 39984]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-9-29 65448]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-20 15:37:19 -------- d-sha-r- C:\cmdcons
2011-06-20 15:33:45 98816 ----a-w- c:\windows\sed.exe
2011-06-20 15:33:45 518144 ----a-w- c:\windows\SWREG.exe
2011-06-20 15:33:45 256512 ----a-w- c:\windows\PEV.exe
2011-06-20 15:33:45 208896 ----a-w- c:\windows\MBR.exe
2011-06-20 14:35:20 -------- d-----w- c:\documents and settings\mazurski\application data\Malwarebytes
2011-06-20 13:34:58 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 13:34:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 13:34:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-20 13:13:46 -------- d-----w- C:\Quarantine
2011-06-07 16:35:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-06-21 18:09:27 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
============= FINISH: 14:31:38.08 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:03 AM

Posted 21 June 2011 - 03:49 PM

Good evening. :)

Do you have a flashdrive of at least 128 Mb that you can wipe clean for a little tool to play with?

So long, and thanks for all the fish.

 

 


#3 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 21 June 2011 - 10:00 PM

Good evening. :)

Do you have a flashdrive of at least 128 Mb that you can wipe clean for a little tool to play with?


Hi Noviciate! I'm sure I can come up with one for this! :thumbup2:

Brett

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:03 AM

Posted 22 June 2011 - 02:08 PM

Good evening. :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to your Desktop - it doesn't have to be the infected PC.

  • Insert your USB drive.
  • Click Start > My Computer, right click your USB drive and select Format > Quick format.
  • Double click the unetbootin-xpud-windows-latest.exe file that you just downloaded.
  • Click Run then OK - this will install a little bootable OS on your USB.
  • After it has completed, do not choose to reboot the clean computer; simply close the installer.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • If you are using a different PC to the sick one, remove the USB as this part is complete. If not, leave it where it is.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work. If it doesn't, let me know and we'll go for a different angle.

  • If necessary insert the USB stick into the sick PC and then boot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB before Windows starts loading
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Click the File icon on the left.
  • Expand mnt by clicking the little arrow to it's left.
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh -f and then <ENTER>
  • You will be prompted to input a filename - enter the following:

    • volsnap.sys
  • Press <ENTER>.
  • If done succesfully, the script will search for copies of this file on your system.
  • After it has finished a report will be located in the USB drive as filefind.txt.
Please note - all text entries are case sensitive

Let me have the contents of the file, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#5 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 23 June 2011 - 02:53 PM

OK, I got all the way through the boot process, but when I go to mnt, the only device listed is sda1, which is the hard drive. I don't see the USB drive there.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:03 AM

Posted 23 June 2011 - 04:28 PM

Good evening. :)

This seems to be a common issue. When you get to where you were, pull out the flashdrive, count to ten, then put the flashdrive back in and it should autodetect.

So long, and thanks for all the fish.

 

 


#7 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 24 June 2011 - 06:43 PM

I didn't get a chance to try this today, I will give it a shot on Monday and report back.

Brett

#8 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 June 2011 - 06:56 AM

OK, that worked like you said it would. Here is the results:

/mnt/sda1/WINDOWS/ServicePackFiles/i386/volsnap.sys
/mnt/sda1/WINDOWS/system32/drivers/volsnap.sys
/mnt/sda1/WINDOWS/$NtServicePackUninstall$/volsnap.sys
/mnt/sda1/WINDOWS/LastGood/system32/drivers/volsnap.sys

Brett

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:03 AM

Posted 27 June 2011 - 01:53 PM

Good evening. :)

  • Boot the PC as before into xPud - the OS on the flashdrive.
  • Navigate to sda1/WINDOWS\system32\drivers\volsnap.sys.
  • Right click it and rename it to oldvolsnap.sys - this will disable the file but keep it handy should we need it later.
  • Now you need to navigate to the clean copy - sda1/WINDOWS/ServicePackFiles/i386/volsnap.sys
  • You want to right click and COPY the file - leave the original where it is, just in case.
  • Now go back to the sda1/WINDOWS\system32\drivers folder and paste the clean file into it's new home.
  • Make sure that you can see volsnap.sys before you congratulate yourself.
  • Finally, shut down the PC as before, whip out the flashdrive and reboot into Windows.
Let me know how you get on and also how the PC is behaving.

So long, and thanks for all the fish.

 

 


#10 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 June 2011 - 02:18 PM

Thanks, I followed your instructions and the PC did boot, but seems really slow. I am performing a MWB scan on it at this time. I'll post back the status once it completes.

Thank you again for spending time on this with me.
Brett

#11 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 28 June 2011 - 07:42 AM

OK, the MWB scan completed, only thing it found was the IEXPLORE.EXE (RKILL) I had downloaded was detected. Other than that it did not report any other detections.
The system does seem to be running quicker today, I'm thinking that it may have been performing A/V updates before.

The last problem I'm seeing is all the icons under Administrative Tools is missing (both from Control Panel and the Start Menu). I have run the unhide program for resetting the hidden icons from malware infections and that did not correct it.

Brett

#12 EX250

EX250
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 28 June 2011 - 09:32 AM

I'm all set Noviciate! Thank you for the help, it is much appreciated!
Brett

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:03 AM

Posted 02 July 2011 - 05:53 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users