Rootkit Trojan/Virus

Status
Not open for further replies.

ascot54

Posts: 87   +0
Hi all,
First off , Happy New year to everyone.

I'd like to share the following with you.

My laptop got infected fews days ago with the following:


Files Infected:
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrsr.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

I ran the 8 point guide and Malware did its bit, however on the reboot, these items remained. This happened after ensuring that Malware and SAS were up to date.

My fix was to do the following:

1. Ensure Malware/SAS up to date
2. Downlad ComboFix and SDfix
3. Run CCleaner
4. Run Malware/SAS
5. Install/Run ComboFix in safe mode (allow to finish)
6. Install/Run SDFix and allow to finish
7. Do total cold reboot, not restart.
8. Run CCleaner again
9. Run Malware/SAS

Hopefully, system should be clean........
 
Some logs frm the pograms you have run would be helpful to us in determining if there is anything left on your system.

Logs from Malwarebytes, SAS, SDfix and also a Hijacthis log would be good.

You can find out how to post a hijackthis log in the 8 step guide here undr point 7. The rest you have allready done.

Happy new year to you to :)
 
Update..

I'm just running Avast on the laptop and its now giving me the Tidserv trojan alert...!! damn laptop !!

will send log files once its completed....

Also, anyone on here know anything about the Aegis.exe prog...??
I Googled it and its a virus supposedly, however, Avast, Malware, SAS did not pick it up...!!

Rgds
Ascot
 
Unfortunatley i have been unable to find any information about that file. Can you point me to the site were you saw the info?

Thanks
 
Ok thanks for that i will look into it.

I have your logs here thanks for them also.

To start you took no action against the findings of the malwarebytes scan thus the "No action taken"

Re scan with malwarebytes then make sure there is a tick in the box next to ALL of the findings and press fix selected.

You can see my instructions here if you need more help
As a reference to a fix in the guide not yet made please click on PERFORM FULL SCAN and NOT perform quick scan

disabling System Restore

It is advised that you do not turn off System Restore unless you have specific need to do so.

For this Trojan you have the need to disable System restore
To disable System Restore you would follow these steps:

1. Click on the Start button to open your Start Menu.

2. Click on the Control Panel menu option.

3. Click on the System and Maintenance menu option.

4. Click on the System menu option.

5. Click on System Protection in the left-hand task list.

6. Uncheck the check boxes next to each hard drive listed under the Create restore
points automatically on the selected disks:


You should click on the Turn System Protection Off button.


7. Press the Apply button and then the OK button.

System Restore is now disabled on your computer.

Then re run malwarebytes and SuperantiSpyware and re post a fresh Hijackthis log, malwarebytes log and superantispyware log.
 
Rev,
cant disable the restore mode..

i'm now getting a rundll32 error... !!!

any ideas how to bypass it ?
 
Ok,

Can you actually disable system restore and the message stop's you or is it that you cant disable system restore and after trying you go the error?

Also try disabling and scanning in safe mode and see if that makes any difference
 
Hi Rev,

Laptop gone in "trash can" for now !!

Main PC now infected...!!

cant boot in normal mode, my screen has been screwed...
safe mode works...
my system restore doesn't exist anymore, so god knows where thats gone..!!

will send logs ASAP !!
 
Hi Rev,

please find my logs attached....

this one has me baffled...!!

wish i could get a pic of it to show you how my screen looks...

Rgds

Ascot
 
My update.

Well i did the 8 point guide same as before ( thanks again Mike Flynn)

But this time ran Combo Fix and SDFix after deleting the possible source file of the infection.

However, whilst in safe mode ComboFix told me that Avast was still running. Tried to disable it but couldnt work out how.

So, with nothing to lose, i just ran Combo anyway.
PC rebooted in to normal mode and with baited breath i waited for my screen to go all "fuzzy" again..!!

But this time it didnt...

I also delted Nvidia Tune Up as i had overclocked my AGP card for better effect on FltSim X. It passed all the inbuilt tests with no problems found.
I dont beleive Nvidia is to blmae for the infection as i had it installed for almost a week before anything odd happened.

The suspected source came from a "trusted" web site. However, before i openly accuse that place, i will do some investigating and post my findings here.

Rev, (or any other Tech expert)
i'd be grateful if you would check my log files to see if i have missed anything ..

Thanks again....
 
O I'm glad to hear that you seem to be getting somewere.

It may not have been totally virus related but there is a possibility however seeing as though you have run those scans can you post a fresh Hijackthis log. I don't want to recommend you remove anything that's not there anymore :)
 
Ok i think we are there now,

Can you go back to Hijackthis and click Scan and place a tick next to the following object ONLY

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

It appears after you do that that your system is clean :)

Are you experiencing any other problems now?

If not then you should
* Download OTCleanIt from here
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Then,

Clear your existing system restore points and establish a new clean restore point:
1. Go to Start > All Programs > Accessories > System Tools > System Restore
2. Select Create a restore point, and OK it.
3. Next, go to Start > Run and type in cleanmgr
4. Select the More options tab
5.Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

After that regular scanning and a good firewall should see you in good stead :)
 
Hi buddy,

right i have deleted the BO02 file index in HJT...
also i found a link to get my restore option re-incarnated.....it was gone forever so i thought..

i have done everything else...!!
i'm going to re-load the Nvidia Ntune utility for my AGP card as i need the speed increase at the moment.. (cant afford new card at mo, credit crunch in UK..)

Also looking to trade off other un-neccesary processes to give increased performance.. any tips appreciated...!!

Next projects:

My laptop & my sons laptop...

PS:

for all those who have probs, or may do in the future, don't despair, this forum is top dollar...

this is the 2nd time i've used the "knowledge" that resides in here..
with another positive result !!
 
lol I'm afraid ascot your having a bad time :) the logs are not attaching

Just click on the Manage attachments button, browse for the file and then click open then upload

Stopping processes is one thing but i think you should have a look under msconfig

Start>Run>Msconfig.

I would disable under the start-up tab:

Yahoo Messenger
Superanti spyware


Also if you think you are having decreased performance then take a look at this guide Ive made here

Its for a program called CCleaner. Its cleans temporary files and rids you of junk you no longer need. The download link is on there to. I use that ever 2 weeks and keeps me going :).
 
most odd..

Im hitting the paperclip

browsing to HJT log file

click upload
it says done

but obviously it aint working

any ideas..??
 
Sorry i had to pop off there. Yes that uploaded it :).

So this is the re run of your main PC right?
 
Status
Not open for further replies.
Back