Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Win32.TDSS.rtk help please!

  1. #1
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default Win32.TDSS.rtk help please!

    I have followed the instructions from your thread http://forums.spybot.info/showthread.php?t=288

    and have installed "ERUNT" and spybot S&D (disabled the teatimer and ran a scan in advanced mode)...attached is a .pdf of the notepad log report. Please help me remove this trojan once and for all...I've run autoruns and McAfee in safe and normal modes and it continues to "remove" it but it continues to return. The most obvious side effect I've notice by the presence of this torjan are my search result lins are hijacked and that is about it (that I know about). Any help with the removal and preventative measure for the future is greatly appreciated.
    Thanks...will you email me how to find your responses...I'm a first time poster.
    sdfdesign

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi sdfdesign

    You are missing part of the instructions requirements: namely a HJT log. We can get that later. You have a root kit on board. your log is also a few days old. If you still need help removing it simply reply to the post using the add reply button.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default help still needed

    Thank you Shelf Live for your reply...I do still need help...not sure how to go about getting an HJT log? sorry fairly new to this.

  4. #4
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default ignor the HJT uncertainty part of the last email...

    here is the HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:44:34 PM, on 10/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://searcher.apticonline.com
    O15 - Trusted Zone: owa.fnf.com
    O15 - Trusted Zone: http://*.metrolist.net
    O15 - Trusted Zone: http://*.rapmls.com
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1142701539015
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    --
    End of file - 5756 bytes

  5. #5
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi sdfdesign,

    ok. We will get a download to use. Its called Combofix. there is a guide to read first which will explain some things. Read through the guide, download combofix to your desktop. Disable your AV and antimalware as explained in the guide. Double click the icon and follow the prompts. Post the combofix log in your reply.

    Guide to using Combofix
    How Can I Reduce My Risk?

  6. #6
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default

    okay, thanks for you help too

  7. #7
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default ComboFix Log

    ComboFix 09-10-04.01 - Owner 10/05/2009 18:43.1.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\rotscxwydkrviu.sys
    c:\windows\system32\rotscxbymbpjwm.dat
    c:\windows\system32\rotscxkbeecxdk.dll
    c:\windows\system32\rotscxugfqxmfv.dat
    c:\windows\system32\rotscxvpykrirp.dll
    c:\windows\system32\rotscxyxwmnmpf.dll
    c:\windows\system32\twain.dll
    c:\windows\wpd99.drv

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_rotscxrtuyrwbw
    -------\Legacy_rotscxrtuyrwbw


    ((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
    .

    2009-09-29 13:29 . 2009-09-29 13:29 -------- d-----w- c:\program files\ERUNT
    2009-09-29 10:22 . 2009-09-29 10:22 -------- d-s---w- c:\documents and settings\Administrator\UserData
    2009-09-29 10:07 . 2009-09-29 10:07 -------- d-----w- C:\Autoruns
    2009-09-29 02:02 . 2009-09-29 02:02 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
    2009-09-25 13:23 . 2009-09-25 13:23 38 ----a-w- c:\windows\system32\DELCPL.BAT
    2009-09-25 04:18 . 2009-09-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-09-25 04:18 . 2009-09-29 02:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-09-24 11:06 . 2009-09-24 11:06 -------- d-----w- c:\program files\Trend Micro
    2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\program files\McAfee Security Scan
    2009-09-09 13:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-29 11:55 . 2007-06-10 01:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-09-26 12:18 . 2006-03-15 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-09-25 13:26 . 2006-03-21 21:21 -------- d-----w- c:\program files\pdf995
    2009-09-25 13:25 . 2006-03-15 03:17 -------- d-----w- c:\program files\Google
    2009-09-25 13:24 . 2007-02-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-09-15 09:40 . 2009-05-06 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-09-14 02:32 . 2006-03-19 21:46 -------- d-----w- c:\program files\Common Files\Adobe
    2009-08-07 08:17 . 2006-03-15 02:41 -------- d-----w- c:\program files\Intel
    2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 19:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
    2007-06-08 11:08 . 2007-06-08 11:08 774144 ----a-w- c:\program files\RngInterstitial.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 6:01 PM 210216]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-26 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]

    2008-08-26 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: apticonline.com\searcher
    Trusted Zone: fnf.com\owa
    Trusted Zone: metrolist.net
    Trusted Zone: rapmls.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
    SafeBoot-mfehidk
    SafeBoot-mferkdk
    SafeBoot-mfetdik
    SafeBoot-mfetdik.sys
    AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8N3Z2O1X\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-05 18:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    Completion time: 2009-10-06 18:56
    ComboFix-quarantined-files.txt 2009-10-06 01:56

    Pre-Run: 69,227,794,432 bytes free
    Post-Run: 69,363,691,520 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    121 --- E O F --- 2009-09-09 13:32

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi,

    ok so far so good. We will get another download to use which you can keep and use as a anti-malware app. Link and directions:

    Please download Malwarebytes to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

    If an update is found, it will download and install the latest version.

    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.

    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer for the fix to continue*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.
    NOTE: The free version must be updated manually.
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    Sep 2009
    Posts
    12

    Default ready for more

    that was a fun 2 hours+...k what's up next


    Malwarebytes' Anti-Malware 1.41
    Database version: 2916
    Windows 5.1.2600 Service Pack 3

    10/6/2009 7:23:51 PM
    mbam-log-2009-10-06 (19-23-51).txt

    Scan type: Full Scan (A:\|C:\|D:\|F:\|G:\|H:\|I:\|)
    Objects scanned: 194439
    Time elapsed: 2 hour(s), 22 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxvpykrirp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP0\A0000004.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP1\A0000055.sys (Worm.Agent) -> Quarantined and deleted successfully.

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi sdfdesign

    ok looks good. You can get one more tool to use as a check then we should be all done. this scan should go a lot quicker...

    Please download: RootRepeal

    http://ad13.geekstogo.com/RootRepeal.exe

    Click the icon on your desktop to start.
    Click on the Report tab at the bottom of the window
    Next, Click on the Scan button
    In the Select Scan Window check everything:

    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services

    Click the OK button
    In the next dialog window select all the drives that are listed
    Click OK to start the scan

    May take some time to complete.
    When done click the Save Report button.
    Save the report to your desktop
    To Exit RootRepeal: click File>Exit
    Post the report in your reply
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •