Malware/rootkit/something?

[Cent1]

Alright, I tried to run it but it claimed it was "done" after scanning 0 files and running for 0 seconds (and, obviously, it didn't find anything). Should I turn off Norton and try it again?

[ken545]

Please do , you need to temporarily disable your onboard Anti Virus.

If it still wont run then try this one.




Please do a scan with Kaspersky Online Scanner or from Here.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
  
• Once the scan is complete, click on View scan report To obtain the report:
• Click on: Save Report As
• Next, in the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
• Then, click: Save
• Please post the Kaspersky Online Scanner Report in your reply.

[Cent1]

Alright, I ran the first scan without my anti-virus running and it scanned, but it didn't find anything. I haven't scanned with Kaspersky yet. Should I?

[ken545]

I would, it cant hurt.

How is your system behaving now ?

[Cent1]

(Haven't run the Kaspersky scan yet, because I need my computer and it makes more sense to run it overnight or sometime when that's all that's going on)

It still gets "attacked" (HTTP Tidserv request, says Norton) by c36996639.cn/ whenever I search something in Google (application path goes through Firefox.exe). Every so often (20, 30 minutes) a new tab opens, ads, searches or something, I'm not really sure because I try to close them as soon as they open. When the tab displays the URL (at least initially) it tends to have my last google search in there somewhere. For example, the last one I have is (if my last google search was "this is a test") (brackets aren't really there; [random numbers] is actually a67990067, in this example):

/?url=http://[random numbers].cn/[more random stuff]ref=http://bulkputty.org/key/[still more random stuff]=this+is+a+test

Sorry for if the description isn't clear, but that's what I mean by having the search in there.

Haven't tried Chrome, but I doubt it'll work.

I suspect the malware is using something with svchost, just because
1). some of the attacks are going through \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE
2). There are times when task manager has Svchost using half my CPU or more (though it's relatively uncommon) and
3). Maybe once or twice every few days (if I've left my comp running on overnight, an error message pops up saying there was an error in svchost.exe (don't know the exact message). If I hit Okay, to close the process, my computer becomes unresponsive, generally. I can still scroll web pages, for example, or close tabs, but I can't close or minimize Firefox, can't click the start menu or anything on the bottom bar, task manager doesn't really respond, etc.

In general, something is clearly "wrong" with it, but it's not crippling.

I have no idea if any of that helps.

[ken545]

Hold off on Kaspersky for the moment.

Run this tool

Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloa...tdsskiller.zip

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

[Cent1]

Alright, I used that and it found three things, then it asked to restart my computer, so I did. When my computer next started up it ran the CHKDSK scan and deleted a few files (mostly old uTorrent stuff I think). Then, when it tried to re-start, it very briefly displayed a blue screen of death type and would keep going through the initial startup until I ran it under "Last known good configuration", after which it worked fine.

Norton doesn't show any attacks since I booted, nor when I do google searches. Chrome appears to work fine. I'm cautiously optimistic that the rootkit is gone.

If it is (or even if it isn't), thanks a bunch for helping me here.



Here's the log:

18:45:24:218 5640 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
18:45:24:218 5640 ================================================================================
18:45:24:218 5640 SystemInfo:

18:45:24:218 5640 OS Version: 5.1.2600 ServicePack: 3.0
18:45:24:218 5640 Product type: Workstation
18:45:24:218 5640 ComputerName: RUSSKLARELAPTOP
18:45:24:218 5640 UserName: Russell Klare
18:45:24:218 5640 Windows directory: C:\WINDOWS
18:45:24:218 5640 Processor architecture: Intel x86
18:45:24:218 5640 Number of processors: 2
18:45:24:218 5640 Page size: 0x1000
18:45:24:218 5640 Boot type: Normal boot
18:45:24:218 5640 ================================================================================
18:45:25:000 5640 UnloadDriverW: NtUnloadDriver error 2
18:45:25:000 5640 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:45:26:125 5640 Initialize success
18:45:26:125 5640
18:45:26:125 5640 Scanning Services ...
18:45:26:125 5640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:45:26:125 5640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:45:26:125 5640 wfopen_ex: Trying to KLMD file open
18:45:26:125 5640 wfopen_ex: File opened ok (Flags 2)
18:45:26:125 5640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:45:26:125 5640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:45:26:125 5640 wfopen_ex: Trying to KLMD file open
18:45:26:125 5640 wfopen_ex: File opened ok (Flags 2)
18:45:26:843 5640 GetAdvancedServicesInfo: Raw services enum returned 390 services
18:45:26:843 5640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:45:26:859 5640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:45:26:859 5640
18:45:26:859 5640 Scanning Kernel memory ...
18:45:26:859 5640 Devices to scan: 4
18:45:26:859 5640
18:45:26:859 5640 Driver Name: Disk
18:45:26:859 5640 IRP_MJ_CREATE : F75B0BB0
18:45:26:859 5640 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
18:45:26:859 5640 IRP_MJ_CLOSE : F75B0BB0
18:45:26:859 5640 IRP_MJ_READ : F75AAD1F
18:45:26:859 5640 IRP_MJ_WRITE : F75AAD1F
18:45:26:859 5640 IRP_MJ_QUERY_INFORMATION : 804F4562
18:45:26:859 5640 IRP_MJ_SET_INFORMATION : 804F4562
18:45:26:859 5640 IRP_MJ_QUERY_EA : 804F4562
18:45:26:859 5640 IRP_MJ_SET_EA : 804F4562
18:45:26:859 5640 IRP_MJ_FLUSH_BUFFERS : F75AB2E2
18:45:26:859 5640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
18:45:26:859 5640 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
18:45:26:859 5640 IRP_MJ_DIRECTORY_CONTROL : 804F4562
18:45:26:859 5640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
18:45:26:859 5640 IRP_MJ_DEVICE_CONTROL : F75AB3BB
18:45:26:859 5640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75AEF28
18:45:26:859 5640 IRP_MJ_SHUTDOWN : F75AB2E2
18:45:26:859 5640 IRP_MJ_LOCK_CONTROL : 804F4562
18:45:26:859 5640 IRP_MJ_CLEANUP : 804F4562
18:45:26:859 5640 IRP_MJ_CREATE_MAILSLOT : 804F4562
18:45:26:859 5640 IRP_MJ_QUERY_SECURITY : 804F4562
18:45:26:859 5640 IRP_MJ_SET_SECURITY : 804F4562
18:45:26:859 5640 IRP_MJ_POWER : F75ACC82
18:45:26:859 5640 IRP_MJ_SYSTEM_CONTROL : F75B199E
18:45:26:859 5640 IRP_MJ_DEVICE_CHANGE : 804F4562
18:45:26:859 5640 IRP_MJ_QUERY_QUOTA : 804F4562
18:45:26:859 5640 IRP_MJ_SET_QUOTA : 804F4562
18:45:26:875 5640 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
18:45:26:875 5640 sion
18:45:26:875 5640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:45:26:875 5640
18:45:26:875 5640 Driver Name: Disk
18:45:26:875 5640 IRP_MJ_CREATE : F75B0BB0
18:45:26:875 5640 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
18:45:26:875 5640 IRP_MJ_CLOSE : F75B0BB0
18:45:26:875 5640 IRP_MJ_READ : F75AAD1F
18:45:26:875 5640 IRP_MJ_WRITE : F75AAD1F
18:45:26:875 5640 IRP_MJ_QUERY_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_SET_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_EA : 804F4562
18:45:26:875 5640 IRP_MJ_SET_EA : 804F4562
18:45:26:875 5640 IRP_MJ_FLUSH_BUFFERS : F75AB2E2
18:45:26:875 5640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_DIRECTORY_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_DEVICE_CONTROL : F75AB3BB
18:45:26:875 5640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75AEF28
18:45:26:875 5640 IRP_MJ_SHUTDOWN : F75AB2E2
18:45:26:875 5640 IRP_MJ_LOCK_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_CLEANUP : 804F4562
18:45:26:875 5640 IRP_MJ_CREATE_MAILSLOT : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_SECURITY : 804F4562
18:45:26:875 5640 IRP_MJ_SET_SECURITY : 804F4562
18:45:26:875 5640 IRP_MJ_POWER : F75ACC82
18:45:26:875 5640 IRP_MJ_SYSTEM_CONTROL : F75B199E
18:45:26:875 5640 IRP_MJ_DEVICE_CHANGE : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_QUOTA : 804F4562
18:45:26:875 5640 IRP_MJ_SET_QUOTA : 804F4562
18:45:26:875 5640 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
18:45:26:875 5640 sion
18:45:26:875 5640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:45:26:875 5640
18:45:26:875 5640 Driver Name: Disk
18:45:26:875 5640 IRP_MJ_CREATE : F75B0BB0
18:45:26:875 5640 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
18:45:26:875 5640 IRP_MJ_CLOSE : F75B0BB0
18:45:26:875 5640 IRP_MJ_READ : F75AAD1F
18:45:26:875 5640 IRP_MJ_WRITE : F75AAD1F
18:45:26:875 5640 IRP_MJ_QUERY_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_SET_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_EA : 804F4562
18:45:26:875 5640 IRP_MJ_SET_EA : 804F4562
18:45:26:875 5640 IRP_MJ_FLUSH_BUFFERS : F75AB2E2
18:45:26:875 5640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
18:45:26:875 5640 IRP_MJ_DIRECTORY_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_DEVICE_CONTROL : F75AB3BB
18:45:26:875 5640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75AEF28
18:45:26:875 5640 IRP_MJ_SHUTDOWN : F75AB2E2
18:45:26:875 5640 IRP_MJ_LOCK_CONTROL : 804F4562
18:45:26:875 5640 IRP_MJ_CLEANUP : 804F4562
18:45:26:875 5640 IRP_MJ_CREATE_MAILSLOT : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_SECURITY : 804F4562
18:45:26:875 5640 IRP_MJ_SET_SECURITY : 804F4562
18:45:26:875 5640 IRP_MJ_POWER : F75ACC82
18:45:26:875 5640 IRP_MJ_SYSTEM_CONTROL : F75B199E
18:45:26:875 5640 IRP_MJ_DEVICE_CHANGE : 804F4562
18:45:26:875 5640 IRP_MJ_QUERY_QUOTA : 804F4562
18:45:26:875 5640 IRP_MJ_SET_QUOTA : 804F4562
18:45:26:875 5640 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
18:45:26:875 5640 sion
18:45:26:890 5640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:45:26:890 5640
18:45:26:890 5640 Driver Name: iaStor
18:45:26:890 5640 IRP_MJ_CREATE : 876B981A
18:45:26:890 5640 IRP_MJ_CREATE_NAMED_PIPE : 876B981A
18:45:26:890 5640 IRP_MJ_CLOSE : 876B981A
18:45:26:890 5640 IRP_MJ_READ : 876B981A
18:45:26:890 5640 IRP_MJ_WRITE : 876B981A
18:45:26:890 5640 IRP_MJ_QUERY_INFORMATION : 876B981A
18:45:26:890 5640 IRP_MJ_SET_INFORMATION : 876B981A
18:45:26:890 5640 IRP_MJ_QUERY_EA : 876B981A
18:45:26:890 5640 IRP_MJ_SET_EA : 876B981A
18:45:26:890 5640 IRP_MJ_FLUSH_BUFFERS : 876B981A
18:45:26:890 5640 IRP_MJ_QUERY_VOLUME_INFORMATION : 876B981A
18:45:26:890 5640 IRP_MJ_SET_VOLUME_INFORMATION : 876B981A
18:45:26:890 5640 IRP_MJ_DIRECTORY_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_FILE_SYSTEM_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_DEVICE_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_INTERNAL_DEVICE_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_SHUTDOWN : 876B981A
18:45:26:890 5640 IRP_MJ_LOCK_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_CLEANUP : 876B981A
18:45:26:890 5640 IRP_MJ_CREATE_MAILSLOT : 876B981A
18:45:26:890 5640 IRP_MJ_QUERY_SECURITY : 876B981A
18:45:26:890 5640 IRP_MJ_SET_SECURITY : 876B981A
18:45:26:890 5640 IRP_MJ_POWER : 876B981A
18:45:26:890 5640 IRP_MJ_SYSTEM_CONTROL : 876B981A
18:45:26:890 5640 IRP_MJ_DEVICE_CHANGE : 876B981A
18:45:26:890 5640 IRP_MJ_QUERY_QUOTA : 876B981A
18:45:26:890 5640 IRP_MJ_SET_QUOTA : 876B981A
18:45:26:890 5640 ihd: 4, FFDF0308, 333, 121, 3, 109, 1
18:45:26:890 5640 Driver "iaStor" Irp handler infected by TDSS rootkit ... 18:45:26:890 5640 cured
18:45:26:890 5640 siohd: 1
18:45:26:890 5640 Driver "iaStor" StartIo handler infected by TDSS rootkit ... 18:45:26:890 5640 cured
18:45:26:921 5640 C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Infected
18:45:26:921 5640 File C:\WINDOWS\system32\DRIVERS\iaStor.sys infected by TDSS rootkit ... 18:45:26:921 5640 Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
18:45:26:921 5640 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:45:27:265 5640 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
18:45:27:906 5640 !fdfb7
18:45:28:031 5640 vfvi6
18:45:28:296 5640 !dsvbh1
18:45:31:187 5640 dsvbh2
18:45:31:187 5640 Backup copy2 found, using it..
18:45:31:375 5640 will be cured on next reboot
18:45:31:375 5640 Reboot required for cure complete..
18:45:31:671 5640 Cure on reboot scheduled successfully
18:45:31:671 5640
18:45:31:671 5640 Completed
18:45:31:671 5640
18:45:31:671 5640 Results:
18:45:31:671 5640 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
18:45:31:671 5640 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:45:31:671 5640 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:45:31:671 5640
18:45:31:671 5640 UnloadDriverW: NtUnloadDriver error 1
18:45:31:671 5640 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:45:31:671 5640 KLMD(ARK) unloaded successfully

[ken545]

HI,

iaStor.sys <-- This is a Intel Accelerator driver, I somewhat expected this to be infected and it was and it looks like its cured.

Why don't you just use your computer for a few days and post back and let me know if your still having problems, it seems you may be out of the woods.

Ken