Can't remove a rootkit.TDSS

[g2525]

Firefox is running brutally slow. I had this problem once before and followed the instructions for MBAM not running - installed and ran Rootrepeal and wiped the vsfoce.sys file then ran MBAM and all was well. This time after every reboot MBAM keeps finding this infection - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vsfocebefyxeyr (Rootkit.TDSS). Please help not sure how to get rid of this. I have MBAM, RootRepeal and HijackThis logs available below.

Thank you.

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:34:33 AM, on 9/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\NETGEAR\WG311T\wlancfg5.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: McAfee SiteAdvisor BHO -

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar -

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program

Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program

Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program

Files\NETGEAR\WG311T\wlancfg5.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows

Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/...en/x86/client/w

uweb_site.cab?1240513171799

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -

C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program

Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

End of file - 8257 bytes

------------------------------------------------------------

MBAM Log

Malwarebytes' Anti-Malware 1.40

Database version: 2758

Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/8/2009 11:08:35 AM

mbam-log-2009-09-08 (11-08-35).txt

Scan type: Quick Scan

Objects scanned: 97619

Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vsfocebefyxeyr (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------------------------

RootRepeal Log

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/08 11:38

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF5F6A000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8F4E000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB9833000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-01E5F49C.pf

Status: Visible to the Windows API, but not on disk.

Path: c:\windows\temp\sqlite_cvhfe4cpuivpkkv

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_qgyqmsgar1pxwi6

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_r8frfaqsohzrsup

Status: Allocation size mismatch (API: 4096, Raw: 0)

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACtofsoirqlt.sys

Service Name: vsfocebefyxeyr

Image Path: C:\WINDOWS\system32\drivers\vsfoceuenhtimo.sys

==EOF==

[g2525]

bump, anyone

[AdvancedSetup]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[westone]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

I have the same problem with the same registry key, you're lucky if you can run malwarebytes, root repeal, or any antivirus for that matter without them crashing during scanning, because I sure can't. And I have tried every renaming trick to get combofix to install properly and every time I get a status bar that freezes, no matter what mode or what I name it.

There's gotta be some way to delete this registry key. I found that this was my problem from using IObit Security 360, and it's all I have to go on right now. I'm hoping once I delete that registry key it will stop redirecting every browser but google chrome to ad-ware sites and stop blocking them from downloading antivirus, but I doubt it.

When I run an anti-virus program from a download off Google Chrome it will install, but when ran the software will crash and the permissions become locked. Seems like there must be some sort of service that's running that I'm not aware of, but even in safe mode nothing seems out of the ordinary. I've gotten root repeal to scan for everything except files, but it doesn't come up with much....

... Oh and just recently my thumbnails stopped showing up, which means my desktop background just disappeared, but that could be unrelated.

[AdvancedSetup]

Please try installing MBAM v1.41 which has an updated engine to deal with some of these.

http://www.malwarebytes.org/mbam-download.php

If that does not work then try the following.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the
  Avira AntiVir Rescue System
  from
  here
  
  
• Place a blank CD in your burner and double-click on the downloaded file named
  rescue_system-common-en.exe
  
  
• If the above link does not work please try this one:
  here
  
  
• The program will automatically burn the CD for you.
  
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
  
• Click on the
  Configuration
  button.
  
  
  • Select
    Scan all files
    
    
  • Select
    Try to repair infected files
    and
    Rename files, if they cannot be removed
    
    
  • Select
    Scan for dialers
    
    
  • Select
    Scan for joke programs (Jokes)
    
    
  • Select
    Scan for games
    
    
  • Select
    Scan for spyware (SPR)
    
    
  [*]
  Click on
  Virus scanner
  [*]
  Click on
  Start scanner
  at the bottom of the screen
  [*]
  Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

1. Please see the post
   here
   if you're unable to view the entire screen of Avira.
   
   
2. You can also review this one
   Fixed Rescue CD Resolution Probs with Dell Video
   
   
3. Currently only the German keyboard is supported.
   Command Line not working
   English keyboards require work arounds.
   
   
4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.
   
   

[AdvancedSetup]

Please post a status update on this.

Thanks.

[westone]

Please post a status update on this.

Thanks.

Don't know about the updated version but I finally got malwarebytes to run by using Autoruns for windows which was suggested here http://www.s-t-f-u.com/2008/10/29/rootkit-...hore-remove-it/

I just looked for services that were being run that did not have a description and then cross referenced their filename on google to see if they were a known offender. I logged out, logged back on and like magic, without that nasty tdss service running I can run malwarebyes again.

[AdvancedSetup]

Okay that's good. Please run the following so that I can see what's going on.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log and a new Hijackthis log.

[AdvancedSetup]

Please post a status update.

Thanks

[AdvancedSetup]

Are you still with us?

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.