Bad, Bad Rootkit.TDSS.v2

[ken545]

Looks like this program is illegal

c:\program files\winternals\recovery manager


It also looks like this is a company computer

[Cal626]

This is my personal PC at home. I use it sometimes to work from home via VPN. As for c:\program files\winternals\recovery manager, this was installed a long time ago, maybe years. I don't remember ever using it though. Why is it illegal?

[ken545]

Well, I could be wrong but it looks like its some sort of key generator.

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

[Cal626]

Ok, here is the log. Re-booted system.

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admiral Turron :: antec [administrator]

Protection: Enabled

1/19/2012 2:27:25 PM
mbam-log-2012-01-19 (14-27-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195142
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\drivers\acpi.sys (Virus.RLoader) -> Quarantined and deleted successfully.

(end)

[ken545]

How is your system running now, any better ? Any browser redirects ?


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[Cal626]

Yes, my computer is running faster. The results of the online scan...

C:\Documents and Settings\All Users\Application Data\rrexvahnjbxu\spoof.avi Win32/Agent.SWD trojan

[ken545]

Go ahead and delete this

C:\Documents and Settings\All Users\Application Data\rrexvahnjbxu

Give me an update as to how all is working ?

[Cal626]

All is working well and I have deleted the directory. Should I now delete all the things I downloaded to my desktop? I will also turn on my anti-virus software "PC Tools Spyware Doctor with AntiVirus" if it is okay.

[ken545]

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Malwarebytes is the free version and yours to keep and will not be removed

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[Cal626]

Hi,

I have removed all of the tools from my PC. But when I run a full scan with my anti-virus software it still finds a high risk threat called "Rootkit TDSS.v2".

Do you think it is a problem with my anti-virus software? My PC is running fine.