Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS


  • This topic is locked This topic is locked
11 replies to this topic

#1 leandromnc

leandromnc

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 25 November 2016 - 07:06 PM

Dear Guys,
 
 
 
Someone can help me checking my log from FRST?
 
 
 
Thanks

[Merged topics then posts. Content was identical but for the attached log.~ OB]

Attached Files


Edited by Orange Blossom, 25 November 2016 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 29 November 2016 - 12:14 PM

leandromnc:
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs that you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil
 
PS:  We are not all "guys" here - some of our best and brightest MRT members and instructors are women.   :)

Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 30 November 2016 - 07:07 AM

leandromnc:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear." I do see that WinCDEmu is installed on your computer - PLEASE DISABLE IT.
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

First off, your topic title suggests that you suspect that your computer is infected with a TDSS rootkit? You have not provided any information as to the symptoms that your computer is exhibiting that would lead you to that conclusion. Would you be kind enough to provide with as much detailed information as possible to assist me to assess what might be wrong with your computer? Your FRST logs are not showing any signs of serious infection; HOWEVER, FRST does not detect everything.

Your FRST logs show that RogueKiller is installed on your computer. I am assuming that you did run a scan with it? What did RogueKiller report? Can you copy and paste the scan results into your next reply?

.

:step1: A few questions:

  • Are you aware that System Restore is disabled on your computer?
  • The computer appears to be a possible work computer. Can you tell me more about it?
  • Did you, or your company (if it is a business computer) set any "Group Policy Restrictions" because I am seeing one in the logs?

.

:step2: In going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned..

I will await your responses. I did see some minor issues that I will address with a FRST "fix" in a later post, once I have a better idea about the issues that your computer is experiencing.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 leandromnc

leandromnc
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 30 November 2016 - 09:51 AM

Hi,

 

Thanks for your reply and thanks for help people in all of the world.

 

Answering your questions:

 

1) Are you aware that System Restore is disabled on your computer?

A: No, I'm not.

 

2) The computer appears to be a possible work computer. Can you tell me more about it?

A: No, It's a personal computer. But I'm Web Developer, because of that there are some softwares for development.

 

3) Did you, or your company (if it is a business computer) set any "Group Policy Restrictions" because I am seeing one in the logs?

A: I didn't set any "Group Policy Restriction".

 

Consideration:

The Rootkit software has been installed on my computer manually (by a person). I'm 100% sure about it.

And hacked my passwords.

 

Regards,

Leandro


Edited by leandromnc, 30 November 2016 - 09:52 AM.


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 30 November 2016 - 02:24 PM

leandromnc:

Your topic title suggests that you believe that your computer is infected with a TDSS rootkit but you are not providing me with any substantial reason(s) to suspect a TDSS rootkit infection.
 

Consideration:
The Rootkit software has been installed on my computer manually (by a person). I'm 100% sure about it.
And hacked my passwords.


With respect, how do you know that? Why are you so sure? Please help me to understand your reasoning? When did this happen?

I am not seeing any evidence of serious malware on your computer in the FRST logs that you provided, but we can run very powerful anti-rootkit software if there is reason to do so.

Before doing that, I need to understand. There is always a danger, running any kind of powerful anti-malware software, that your computer could be damaged, so before taking that step, I would like to have reason to believe that the small risk of running the software is justified. You would not, quite rightly, thank me for unnecessarily causing damage to your computer or to your files.

.

:step1: Please enable your System Restore. Instructions can be found at this link. You do have a small C:\ drive, so I would allocate somewhere between 7 and 10 GB for System Restore points.

.

:step2: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder where FRST64.exe is located: D:\Software\AntiVirus.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Restriction <======= ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 MFE_RR; \??\C:\Users\leand\AppData\Local\Temp\mfe_rr.sys [X]

Right click FRST64.exe, and select "Run as Administrator".
Then press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log in the folder from which it was run (Fixlog.txt) or on the Desktop. Please copy and paste the contents of that log file into your reply.

.

:step3: You did not answer the question as to whether you had ever run RogueKiller; and, whether, you still had the scan log. If you did run RogueKiller, it might not have been in the last 30 days, because I am not seeing its scan log in the FRST logs. There are two RogueKiller entries, dated 2016-11-21 and 2016-10-03, showing in the FRST logs but neither of those entries are a RogueKiller scan log. Of course, it is possible that you deleted the scan log; or, that its generation was interfered with by a malware infection; or, that you ran it more than 30 days ago.

 

2016-11-21 16:04 - 2016-11-21 16:04 - 00000899 _____ C:\Users\leand\Desktop\RogueKiller.lnk
2016-11-21 16:04 - 2016-10-03 00:03 - 00000000 ____D C:\Program Files\RogueKiller


.

I ask you to please work with me. I am volunteering my time and training to help you. That is my only aim. I would like to remove any malware present on your computer; or, allay your concerns that malware might be present. To do that, I need as much information from you as possible as to issues that you are having with your computer and the reasons you have concluded that it has been infected with a TDSS rootkit.


Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 leandromnc

leandromnc
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 30 November 2016 - 06:07 PM

Hi Phil,

 

 

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2016
Ran by leand (30-11-2016 22:56:18) Run:1
Running from D:\Software\AntiVirus
Loaded Profiles: leand & SQLTELEMETRY$SQLEXPRESS & MSSQL$SQLEXPRESS (Available Profiles: leand & Localuser & SQLTELEMETRY$SQLEXPRESS & MSSQL$SQLEXPRESS & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Restriction <======= ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 MFE_RR; \??\C:\Users\leand\AppData\Local\Temp\mfe_rr.sys [X]
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key not found. 
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
ibtsiva => service removed successfully
MFE_RR => service not found.
 
 
The system needed a reboot.
 
==== End of Fixlog 22:56:19 ====
 
 
The two logs from RogueKiller were deleted.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 01 December 2016 - 06:02 AM

leandromnc:

 

Thank you for the FRST fixlog.txt.  I see that creating the Restore Point failed.  Did you actually configure your Restore Points on Drive C:\ and turn it on, as I requested in my previous post.

 

You did not respond to my questions about why you believe that you have a TDSS rootkit, so there is not much more that I can do for you, ethically.  I don't unleash powerful anti-malware utilities on other people's computers unless I am convinced that the slight risk is justified.

 

How do you wish to proceed from here?

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 04 December 2016 - 06:22 AM

leandromnc:

 

Are you still there?  Do you still require assistance?  It has been three days since I last posted.

 

In accordance with the policy for this Forum, if I have not heard from you in another two days, your topic will closed.  You can reopen it at any time by sending a private message to a Moderator.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#9 leandromnc

leandromnc
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 December 2016 - 12:31 PM

Hi Phil,

 

 

I created an Image Backup and not Restore Point. I executed script like you ask. The results are in my last post.

In your analyze, is there infection in my computer?

If not, thank you so much for your help and dedicated your time for it.

 

Regards,

Phil



#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 04 December 2016 - 02:13 PM

leandromnc:

 

Thank you for your post.  You did not tell me that you had created an image backup, which is, of course, much superior to a Restore Point.  That explains why the CreateRestorePoint: command in my FRST fixlist.txt failed to execute successfully.

 

I did not detect any signs of malware in your FRST logs.  I did some cleanup of "orphaned" entries, and removed the Group Policy Restriction.

 

That said, FRST does not detect everything.

 

I am more than happy to assist you to check for a rootkit, but first I need to understand what makes you so sure that you have been infected with a rootkit.  If the reason(s) is/(are) personal in nature, such that you would rather not post the details in a public forum, then please send me a private message outlining the reasons for your belief, and also explaining in as much detail as possible any, and all symptoms, that your computer is exhibiting.

 

As I said in a previous post, for ethical reasons, I do not run anti-malware tools on other people's computers unless I am assured that the benefit outweighs the slight risk of damaging the other person's computer and/or files.  Also, there are other types of malware, other than rootkits, which can be very nasty, and I want to ensure that I run the appropriate anti-malware tool(s) for your situation.  Malware removal is inherently risky, which is why, here at Bleeping Computer, a malware removal helper must have successfully completed the requisite training to respond to logs in this Forum.

 

As before, it is your decision, because it is YOUR computer.  My motto is like that of the doctors: "Do NO harm", first and foremost.

 

Have a great day.

 

Regards,

-Phil

 

PS: You are most welcome for my time.  I enjoy helping others defeat malware, in all its guises.


Member of the Unified Network of Instructors and Trusted Eliminators


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 07 December 2016 - 06:25 AM

leandromnc:

 

I haven't heard from you in three days.  Do you still require assistance?

 

In accordance with the policy for this Forum, if I have not heard from you in another two days, your topic will closed.  You can reopen it at any time by sending a private message to a Moderator.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:30 AM

Posted 09 December 2016 - 06:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users