WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS)

[Fergie]

Hello,

Last night I initiated a Malwarebytes update & Full Scan (Database 2728 - Finger Prints 129162). This morning I found that it had detected "C:\WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS)". I selected the 'Fix Selected' option and allowed 'Malwarebytes' to remove and reboot the pc.

I also updated and initiated a 'SUPERAntispyware (Database 4081 - Trace 2021)', Full Scan. This returned the message 'no threats found' as did AVG.

As extra caution I launched 'Zonealarm' then tried to update it. I recieved the error 'no permission to install the updated exe' (I am administrator and have full permissions)'. Whilst this appears not to be a major issue (as I have a router firewall and run AVG), I thought that it might be related to the 'Rootkit.TDSS' that was discovered earlier and prompted me to investigate the matter further.

I examined the Malwarebytes log and searched the internet for some info about the 'Rootkit.TDSS'. One result led me to a thread that explained that 'Malwarebytes' initiall removes the threat, but that the infection is so deeply rooted, that it will re-appear if you have an open internet connection.

Another thread that I discovered provided information about where and how to remove the infection. It explained that you should open 'device manager' and select the 'show hidden devices', then to select the 'Non Plug and Play' branch. It then advised you to locate the files labeld 'TDxyx' (where 'xyx' are substituted for random variables).

There where no visable files, however, I discovered that were several drivers that appear to have unusual names (in my rookie opinion). Some of these also have yellow marks next to them. PartMgr (Yellow Mark), Catchme, dmboot etc..

I have only looked at some of the advice and not performed anything other than complete the proccedure that is advised here. I thought that the information might be of usefull assistance and that I have attempted some resolve before just coming to the forum.

As instructed, below are the two logs from 'Malware & Hijack',

----------------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2728

Windows 5.1.2600 Service Pack 2

02/09/2009 08:58:33

mbam-log-2009-09-02 (08-58-05).txt

Scan type: Full Scan (C:\|D:\|G:\|)

Objects scanned: 215028

Time elapsed: 2 hour(s), 27 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS) -> No action taken.

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:35:37, on 02/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Sweex\Installer\WINXP\SWU.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button:

[screen317]

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[Fergie]

Hi,

thanks for the reply, however, this is a duplicate post and can be deleted. When I originally posted my browser posted the thread twice within a minute. I thought that an admin had already deleted it.

Kenny is presently helping me

many thanks

Mike

[screen317]

Thanks for letting me know.