Jump to content

RootKit.TDSS keeps coming back - Please review my logs


DKNY

Recommended Posts

I'm having the same problem that voight75 from this thread is dealing with http://www.malwarebytes.org/forums/index.php?showtopic=24978. I've followed steps as Dakeyras's suggestion on that thread but the trojan still here.

I've ran online scanning from Kaspersky and found this

globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll/globalroot\Device\Ide\IdePort1\jgnbdwpt\jgnbdwpt\tdlwsp.dll Infected: Packed.Win32.TDSS.z 4

It affects my IE, Firefox, and Opera browsers

Appreciate for your help

GMER.txt

RSIT.txt

mbam_log_2009_09_18__18_47_35_.txt

combo_fix.txt

Link to post
Share on other sites

Welcome to the forum DKNY

Any idea where you picked that up ?

Do a file search for tdlwsp.dll on your pc, any hits ?

Download an unzip Registry Search, preferably to your desktop.

http://www.xs4all.nl/~fstaal01/regsearch-us.html

unzip the program and start it , at the top in the blank white box/field rightclick once then type in

tdlwsp.dll

then click ok and wait for a text to open, If anything was found copy and paste that back here please.

Nothing goes under "Enter string to exclude from results (optional)"

Link to post
Share on other sites

Hi Lonny,

I've used Virus Removal Tool from Kaspersky. The redirecting to different website has been solved but one thing that I'm still fighting with it is getting Bad Image error message. Whenever I try to open an application, Bad Image popup. The guy over kaspersky forum was helping me but he's kinda busy lately. Here's my latest combofix log

Thanks

combo_fix.txt

Link to post
Share on other sites

Download an unzip Registry Search, preferably to your desktop.

http://www.xs4all.nl/~fstaal01/regsearch-us.html

unzip the program and start it , at the top in the blank white box/field rightclick once then type in

jgnbdwpt

at the very top in the second blank field type in

tdlwsp

then click ok and wait for a text to open, copy and paste that back here please.

Nothing goes under "Enter string to exclude from results (optional)"

In the furture please do not post for help at more than one forum

Link to post
Share on other sites

I think part of this tdss varient might be loading via windows mbr

Download the mbr.exe tool from here and place it on your desktop

http://www.gmer.net/

Go start run copy paste this line into the run box and press enter

"%userprofile%\desktop\mbr.exe" -c 0 64 copy_of_sectors

If possible zip up copy_of_sectors and submit it here please

http://www.bleepingcomputer.com/submit-malware.php

Link to post
Share on other sites

I think part of this tdss varient might be loading via windows mbr

Download the mbr.exe tool from here and place it on your desktop

http://www.gmer.net/

Go start run copy paste this line into the run box and press enter

"%userprofile%\desktop\mbr.exe" -c 0 64 copy_of_sectors

If possible zip up copy_of_sectors and submit it here please

http://www.bleepingcomputer.com/submit-malware.php

I've just submitted the gmer's log

Link to post
Share on other sites

Hi DKNY

Re-read my last post please :)

Find a place to upload large files such as megaupload.com

Zip up "system" and "software" and put a password on them, pm the password to me.

They will be located in C:\windows\erunt\ datetime < name will vary

find the most recent files and upload them please.

Link to post
Share on other sites

This batch will take awhile, on my PC about 7 minutes, since yours is lagging run it while in safe mode

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

For /F "TOKENS=*" %%g IN ('dir %systemdrive%\*.exe;%systemdrive%\*.dll /A/B/S ^|findstr /V /I "dllcache ServicePackFiles Framework NtUninstallKB $NtServicePackUninstall$" '
) Do @(
Findstr -mi "tdlwsp evgffypx tdlcmd OPHELIA sicklied" "%%g">> look.txt
)2>nul
start notepad look.txt

Run check.bat then post the text that will (eventualy) open please

Link to post
Share on other sites

What of file evgffypx.sys ? if so we need a sample (I asked in post 17)

also check registry for its service to see if its there if possible

I couldn't find the evgffypx.sys file in the system either. I also ran the .bat code that you gave but nothing in the notepad.

Link to post
Share on other sites

Id like to see a differant kind of log (meanwhile patience please)

Download and run sysinspector

http://www.eset.com/download/sysinspector.php

once it opens go file (top right) generate > suitable for sending

when its finished go file save log.

It will save a a compressed file (zip), attach that please.

If by chance it is to large to attach submit it here

http://www.bleepingcomputer.com/submit-malware.php

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.