rootkit cleanup

[sUBs]

Sigh ... I was so much hoping that would take it out.

I need to take a look at the file

\\?\globalroot\Device\Ide\iaStor0\pwiwuctf\pwiwuctf\tdlwsp.dll

Please upload it to this website: http://www.bleepingcomputer.com/submit-malware.php?channel=4

Note:

In the column where it says .. "Browse to the file you want to submit:", don't browse. Instead paste the address into the box \\?\globalroot\Device\Ide\iaStor0\pwiwuctf\pwiwuctf\tdlwsp.dll . That should work

[sUBs]

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\ntbtlog.txt

Status: Visible to the Windows API, but not on disk.

Kindly upload this file as well

[cardinal17]

Note:

In the column where it says .. "Browse to the file you want to submit:", don't browse. Instead paste the address into the box \\?\globalroot\Device\Ide\iaStor0\pwiwuctf\pwiwuctf\tdlwsp.dll . That should work

no box - if I select 'choose file' get the dialog box to select a file

if i paste path in there, get 'the above file name is invalid'

other file posted

[sUBs]

no box - if I select 'choose file' get the dialog box to select a file

Just tried it again. It works only for IE7. Wont work for IE8 nor Firefox.

Quick question - Have you tried running mbam.exe from safe-mode?

[cardinal17]

not recently - but have in the past - will try again

[cardinal17]

no joy -

safe mode - run mbam / remove 2 selected

reboot to safe mode - rerun mbam - still there

[sUBs]

Today, we're going to try a different tool.

Please download IceSword from here > http://majorgeeks.com/Icesword_d5199.html

Unzip IceSword122en.zip to it's own folder.

Then locate IceSword.exe & launch it by double clicking the executable. If it throws any error messages, let me know

Click on File to bring up IceSword's disk explorer

Right click on Drive C:, and select Find Files

In the Search String box, type tdswsp.dll. Then click Search

If it finds anything, read out the results to me.

Note: Do not attempt to delete that file for that would cause Windows to throw a lot of error messages.

[cardinal17]

no hits on tdlwsp.dll

none on tdlcmd.dll

3 hits on iastor.sys

c:\drivers\storage\sata\onboard

c:\i386

c:\windows\system32\drivers

[sUBs]

3 hits on iastor.sys

c:\drivers\storage\sata\onboard

c:\i386

c:\windows\system32\drivers

Iastor.sys is a legit Intel file critical for the machine. Don't act upon it

Regrettably, there hasn't been much progress on this infection. We need to take the fight to another level; booting into a separate operating system using a Hiren's boot cd.

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html (a hefty 190+ MB download)

The file contains a readme.txt which shall guide you to burning it as a cd. Let me know if you encounter any difficulties

I shall have further instructs soon.

[sUBs]

The file contains a readme.txt which shall guide you to burning it as a cd.

No need to for the readme.txt. Just extract everything into a folder & double click on "BurnToCD.cmd"

[cardinal17]

download / created / tested

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@PROMPT $
DEL %0

Save this as ScanALL.bat Choose to "Save type as - All Files"

It should look like this:

Place "ScanALL.bat" at the root of Systemdrive - C:\ScanALL.bat

We'll run that in the BootCD environment

Boot the computer using the Hiren CD. When you get to this screen, select "Start Mini Windows Xp"

Double click to launch the Command Prompt

In the ensuing window, type C:\ScanAll.bat .. would take some time before it finish running. Great time for a cuppa

When it finishes, restart the machine & boot back to your normal OS to retrieve this file - C:\ScanALL.txt

Zip the file and attach it to your next reply

[sUBs]

Next, when you have rebooted back your normal OS, run this batchfile

@PROMPT $
PEV.exe -tp -c##5#b#f# C:\* >C:\ScanALL-B.txt
DEL %0

It shall produce another log for us. We're essentially going to be compare the 2 logs for discrepancies.

[cardinal17]

Double click to launch the Command Prompt

In the ensuing window, type C:\ScanAll.bat .. would take some time before it finish running. Great time for a cuppa

======

got an application error box

"The procedure * could not be located in the DLL sfc.dll."

also the DEL statement got a "could not find c:\windows\scanALL.bat"

[sUBs]

This is what it looks like on my machine. Does your's differ?

[cardinal17]

OK - I had executed from the C: not the X:

running now

[cardinal17]

cant upload - file space exceeded

597Kb compressed

[sUBs]

Please upload it to this webpage > http://www.bleepingcomputer.com/submit-malware.php?channel=4

[cardinal17]

uploaded 2 zips

[sUBs]

Boot with Hiren's boot CD again, and perform the following actions ...

1) Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

2) Rename it to IASTOR.SYS.BAD

3) Then copy a file from - C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS to C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

Boot back to Normal mode. Then upload IASTOR.SYS.BAD to http://www.bleepingcomputer.com/submit-malware.php?channel=4

[cardinal17]

done

[sUBs]

Please do a scan with mbam and see if it still detects TDSS

[sUBs]

It's almost 7am for me. Calling it a day. See ya later.

[cardinal17]

It's almost 7am for me. Calling it a day. See ya later.

7am !! you guys are dedicated -

mbam came back clean !!

Malwarebytes' Anti-Malware 1.41

Database version: 2866

Windows 5.1.2600 Service Pack 3

9/27/2009 6:50:31 PM

mbam-log-2009-09-27 (18-50-31).txt

Scan type: Quick Scan

Objects scanned: 104321

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hopefully that's it - we can discuss cleanup later

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan.
  

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.