PDA

View Full Version : rootkitted



GroovingPict
2008-08-23, 20:36
I need some help.
I was visiting a website, suddenly a pop-up came up, and before I had even time to close it I had been f***ed, and a rootkit and other malware had installed itself.. I managed to remove some of it though, but not all.
One of the effects it has is that many servernames (such as the one for this forum) is looped to 127.0.0.1 (I had to look up the ip address to even get here).
My DNS server settings are ok. My hosts file is ok.
I downloaded RootAlyzer, and it found some files, all having filenames beginning with tdss* hidden in the system32 folder. I tried deleting them with RootAlyzer, but two of them could not be deleted. their filenames are tdssl.dll and tdssadw.dll
I *think* that if I could delete those, then I wouldve rid myself of this problem completely.. but, how do I delete them? I've tried doing it in safe mode too of course, but no luck.

Cheers,
Tor

ken545
2008-08-26, 14:22
Hello Tor

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You did not give any info as to what Operating System your running ????




Download gmer.zip from here (http://www.majorgeeks.com/GMER_d5198.html) and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Double click gmer.exe to begin:
If you get a message about "system modification", click Yes and work through the rest of the instructions.
Ensure that the Rootkit Tab at the top is selected.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click the Scan button on the right.
When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
Click the >>> Tab at the top and select the Autostart Tab.
Click the Scan button on the right - this one should only take seconds to complete.
Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.





Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.