-
Win32.TDSS.rtk help please!
I have followed the instructions from your thread http://forums.spybot.info/showthread.php?t=288
and have installed "ERUNT" and spybot S&D (disabled the teatimer and ran a scan in advanced mode)...attached is a .pdf of the notepad log report. Please help me remove this trojan once and for all...I've run autoruns and McAfee in safe and normal modes and it continues to "remove" it but it continues to return. The most obvious side effect I've notice by the presence of this torjan are my search result lins are hijacked and that is about it (that I know about). Any help with the removal and preventative measure for the future is greatly appreciated.
Thanks...will you email me how to find your responses...I'm a first time poster.
sdfdesign
-
hi sdfdesign
You are missing part of the instructions requirements: namely a HJT log. We can get that later. You have a root kit on board. your log is also a few days old. If you still need help removing it simply reply to the post using the add reply button.
-
help still needed
Thank you Shelf Live for your reply...I do still need help...not sure how to go about getting an HJT log? sorry fairly new to this.
-
ignor the HJT uncertainty part of the last email...
here is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:34 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://searcher.apticonline.com
O15 - Trusted Zone: owa.fnf.com
O15 - Trusted Zone: http://*.metrolist.net
O15 - Trusted Zone: http://*.rapmls.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1142701539015
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
--
End of file - 5756 bytes
-
hi sdfdesign,
ok. We will get a download to use. Its called Combofix. there is a guide to read first which will explain some things. Read through the guide, download combofix to your desktop. Disable your AV and antimalware as explained in the guide. Double click the icon and follow the prompts. Post the combofix log in your reply.
Guide to using Combofix
-
okay, thanks for you help too
-
ComboFix Log
ComboFix 09-10-04.01 - Owner 10/05/2009 18:43.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\rotscxwydkrviu.sys
c:\windows\system32\rotscxbymbpjwm.dat
c:\windows\system32\rotscxkbeecxdk.dll
c:\windows\system32\rotscxugfqxmfv.dat
c:\windows\system32\rotscxvpykrirp.dll
c:\windows\system32\rotscxyxwmnmpf.dll
c:\windows\system32\twain.dll
c:\windows\wpd99.drv
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_rotscxrtuyrwbw
-------\Legacy_rotscxrtuyrwbw
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.
2009-09-29 13:29 . 2009-09-29 13:29 -------- d-----w- c:\program files\ERUNT
2009-09-29 10:22 . 2009-09-29 10:22 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-29 10:07 . 2009-09-29 10:07 -------- d-----w- C:\Autoruns
2009-09-29 02:02 . 2009-09-29 02:02 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-25 13:23 . 2009-09-25 13:23 38 ----a-w- c:\windows\system32\DELCPL.BAT
2009-09-25 04:18 . 2009-09-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 04:18 . 2009-09-29 02:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-24 11:06 . 2009-09-24 11:06 -------- d-----w- c:\program files\Trend Micro
2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-14 02:29 . 2009-09-14 02:29 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-09 13:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 11:55 . 2007-06-10 01:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-26 12:18 . 2006-03-15 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-25 13:26 . 2006-03-21 21:21 -------- d-----w- c:\program files\pdf995
2009-09-25 13:25 . 2006-03-15 03:17 -------- d-----w- c:\program files\Google
2009-09-25 13:24 . 2007-02-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-15 09:40 . 2009-05-06 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-14 02:32 . 2006-03-19 21:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-07 08:17 . 2006-03-15 02:41 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
2007-06-08 11:08 . 2007-06-08 11:08 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 6:01 PM 210216]
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]
2008-08-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-26 17:53]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: apticonline.com\searcher
Trusted Zone: fnf.com\owa
Trusted Zone: metrolist.net
Trusted Zone: rapmls.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8N3Z2O1X\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 18:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2009-10-06 18:56
ComboFix-quarantined-files.txt 2009-10-06 01:56
Pre-Run: 69,227,794,432 bytes free
Post-Run: 69,363,691,520 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
121 --- E O F --- 2009-09-09 13:32
-
hi,
ok so far so good. We will get another download to use which you can keep and use as a anti-malware app. Link and directions:
Please download Malwarebytes to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer for the fix to continue*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.
-
ready for more
that was a fun 2 hours+...k what's up next
Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3
10/6/2009 7:23:51 PM
mbam-log-2009-10-06 (19-23-51).txt
Scan type: Full Scan (A:\|C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 194439
Time elapsed: 2 hour(s), 22 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxvpykrirp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP0\A0000004.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{247C22C5-4207-4437-945C-BA5F880C3C88}\RP1\A0000055.sys (Worm.Agent) -> Quarantined and deleted successfully.
-
hi sdfdesign
ok looks good. You can get one more tool to use as a check then we should be all done. this scan should go a lot quicker...
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules