Jump to content

Trojan.TDss and Win32:Alureon-CO


Recommended Posts

I really need some help with the following three rootkits:

Trojan.TDss.WQ located in c:\windows\system32\kbiwkmlkkuvqff.dll

Trojan.TDss.WQ located in c:\windows\system32\kbiwkmqieydtqm.dll

Win32:Alureon-CO located in c:\windows\system32\kbiwkmrrupukfn.sys

AVG didn't even know they were present. GData acknowledges the, but cannot quarantine or delete the files. I have also run Sophos and SDFix - both unsuccessful. Any help you could give would be most appreciated. The following is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:25:40 PM, on 8/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe

C:\Program Files\G Data\InternetSecurity\AVK\AVKService.exe

C:\Program Files\G Data\InternetSecurity\AVK\AVKWCtl.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nuance\PDF Professional 5\PDFProFiltSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe

C:\Program Files\G Data\InternetSecurity\Firewall\GDFwSvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Nuance\PDF Professional 5\pdfpro5hook.exe

C:\Program Files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe

C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\G Data\InternetSecurity\GUI\GDSC.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\program files\g

data\internetsecurity\avkkid\avkcks.exe

O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G

Data\InternetSecurity\Webfilter\AvkWebIE.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java

Link to post
Share on other sites

  • Staff

Hi brigun and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.