Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned out SMART HDD, still have a rootkit / google redirects


  • This topic is locked This topic is locked
41 replies to this topic

#31 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 18 April 2012 - 05:44 PM

TDSSKiller reports no infections.

BC AdBot (Login to Remove)

 


#32 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 18 April 2012 - 06:25 PM

That's good but can you post the log so I can check a few other less obvious things.
Posted Image
m0le is a proud member of UNITE

#33 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 18 April 2012 - 06:34 PM

This is the output that I found in C:\




18:43:41.0296 1320 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
18:43:41.0312 1320 ============================================================
18:43:41.0312 1320 Current date / time: 2012/04/18 18:43:41.0312
18:43:41.0312 1320 SystemInfo:
18:43:41.0312 1320
18:43:41.0312 1320 OS Version: 5.1.2600 ServicePack: 3.0
18:43:41.0312 1320 Product type: Workstation
18:43:41.0312 1320 ComputerName: D9VCNLK1
18:43:41.0312 1320 UserName: Walter
18:43:41.0312 1320 Windows directory: C:\WINDOWS
18:43:41.0312 1320 System windows directory: C:\WINDOWS
18:43:41.0312 1320 Processor architecture: Intel x86
18:43:41.0312 1320 Number of processors: 2
18:43:41.0312 1320 Page size: 0x1000
18:43:41.0312 1320 Boot type: Normal boot
18:43:41.0312 1320 ============================================================
18:43:43.0468 1320 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:43:43.0468 1320 \Device\Harddisk0\DR0:
18:43:43.0468 1320 MBR used
18:43:43.0468 1320 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129F1737
18:43:43.0531 1320 Initialize success
18:43:43.0531 1320 ============================================================
18:43:50.0156 1508 Deinitialize success

#34 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 18 April 2012 - 06:35 PM

So, TDSS has been removed. Still not getting a full TDSSKiller log though... :blink:

How is the redirecting?
Posted Image
m0le is a proud member of UNITE

#35 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 18 April 2012 - 06:44 PM

I don't appear to be getting any. :thumbup2:

#36 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 18 April 2012 - 07:06 PM

That looks good. Please run MBAM and ESET's online scan so we can check for other malware. Please avoid manually rebooting the computer at this stage.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#37 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 18 April 2012 - 09:15 PM

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.18.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Walter :: D9VCNLK1 [administrator]

4/18/2012 8:47:00 PM
mbam-log-2012-04-18 (20-47-00).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 335075
Time elapsed: 1 hour(s), 7 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP451\A0166578.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP451\A0166579.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\16.04.2012_20.31.37\mbr0000\tdlfs0000\tsk0006.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.

(end)

#38 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 19 April 2012 - 04:36 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ae8daf46f773694c893d0c7eeef7d560
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-02 03:54:47
# local_time=2012-04-01 11:54:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 58832129 58832129 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=9895
# found=3
# cleaned=3
# scan_time=1082
C:\Documents and Settings\Walter\Application Data\Sun\Java\Deployment\cache\6.0\33\7d358f61-5e8fa5a9 a variant of Java/TrojanDownloader.OpenStream.NCM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Walter\Application Data\Sun\Java\Deployment\cache\6.0\43\58630b2b-65a9abbe Java/TrojanDownloader.OpenStream.NCM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Walter\Local Settings\Application Data\lhpygj\ydklsftav.exe a variant of Win32/Kryptik.DHM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=95f652349ad3b347909313707fcc2416
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-19 03:42:20
# local_time=2012-04-18 11:42:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 60296508 60296508 0 0
# compatibility_mode=8192 67108863 100 0 543279 543279 0 0
# scanned=88646
# found=5
# cleaned=5
# scan_time=4756
C:\Documents and Settings\Walter\Local Settings\Application Data\Mozilla\Firefox\Profiles\f2m0ib8d.default\Cache(5)\C\95\868E2d01 JS/Kryptik.MK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Walter\Local Settings\Application Data\3570694465.dll.vir a variant of Win32/Kryptik.DJM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP452\A0167073.exe a variant of Win32/Kryptik.DHM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\16.04.2012_20.31.37\mbr0000\tdlfs0000\tsk0004.dta Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\16.04.2012_20.31.37\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#39 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 19 April 2012 - 07:02 PM

That looks clean now. Any problems remaining on the machine?
Posted Image
m0le is a proud member of UNITE

#40 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 19 April 2012 - 07:07 PM

Seems OK to me! :thumbsup:

#41 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 19 April 2012 - 07:24 PM

Excellent, okay, here's the final instructions

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Jdk 6 Update 31 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it walltron3030, happy surfing!

Cheers.

m0le

Edited by m0le, 19 April 2012 - 07:24 PM.

Posted Image
m0le is a proud member of UNITE

#42 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:08 PM

Posted 24 April 2012 - 07:23 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users