My PC is down (Rootkit.TDSS) - Help please.

[LonnyRJ]

Thanks for you patience Val2Read

Lets try this while the PC is in safe mode, ignore the recovery console and bitdefender message's again

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

http://www.malwarebytes.org/forums/index.php?showtopic=25330
collect::
c:\windows\system32\tdlwsp.dll
c:\windows\system32\tdlcmd.dll
registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
killall::

Once in safe mode

As in the picture above drag and drop cfscript.txt onto combofix.exe

When it is finished a text will open, Close it.

Additonally, ComboFix attempt to submit samples, cancel that

Restart your PC to normal mode and double click this file c:\CF-Submit.htm

Also post C:\combofix.txt

[Val2Read]

LonnyRJ - unfortunately, looks like the PC won't allow me to boot up in safe mode now - must have tried 20 times. I'll try a few more, and see if I can get in.

[Val2Read]

LonnyRJ - still can't boot up in safe mode - BSOD prevents it completing. Should I try to run the script in normal mode? Please let me know. THanks.

[LonnyRJ]

Yes please do, give it plenty time to work.

[Val2Read]

Will do. Thanks LonnyRJ.

By the way, it's been running for about an hour, and I got an error message stating "Installation Failed".

Should I ignore it?

[LonnyRJ]

An hour is to much, you can restart your pc if you like.

Hang tight, other analysts/developers are working methods to see whats going on.

[Val2Read]

Okay. I really appreciate your efforts to help me out LonnyRJ. From reading other posts, it looks like I got just about the nastiest rootkit one can find these days - one that appears to take residence in RAM. I thought RAM-resident bugs went out of fashion a few years ago.

But with your help, I will keep fighting until we beat this bug.

An hour is to much, you can restart your pc if you like.

Hang tight, other analysts/developers are working methods to see whats going on.

[Val2Read]

LonnyRJ - on a lark I tried dropping in the script again while in normal mode, and this time ComboFix ran all of the 50 scans and then rebooted my computer. But I can't seem to find c:\CF-Submit.htm or C:\combofix.txt. Could these be in some other directory? Please advise. Thanks.

[LonnyRJ]

Lets see if its at another location

Go start run, paste in or type

c:\combofix\combofix.txt

press enter

[Val2Read]

Lets see if its at another location

Go start run, paste in or type

c:\combofix\combofix.txt

press enter

This is the text of what popped up:

ComboFix 09-09-22.01 - 09/23/2009 11:25:22.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2514 [GMT -7:00]

Running from: C:\Documents and Settings\AA\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Alen Aguilar\Desktop\cfscript.txt

AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

ADS - WINDOWS: deleted 0 bytes in 1 streams.

[LonnyRJ]

Thanks, do this next

go start run copy then paste in (or type)

C:\ComboFix\Combobatch.bat

The log should eventualy automaticly open

[Val2Read]

Thanks, do this next

go start run copy then paste in (or type)

C:\ComboFix\Combobatch.bat

The log should eventualy automaticly open

LonnyRJ - I didn't get anything.

[LonnyRJ]

Delete this file if it exists

C:\WINDOWS\ntbtlog.txt <<

Go start run type

msconfig

press enter

click the boot.ini tab and place a check next to [x] Bootlog click apply then ok and yes to the restart of your PC

Once windows if fully loaded post this text C:\WINDOWS\ntbtlog.txt

Also

run hijackthis click config > misc tools > open ads spy, leave the box's as they are click scan

If anything is found save that log and post it please.

[Val2Read]

Delete this file if it exists

C:\WINDOWS\ntbtlog.txt <<

Go start run type

msconfig

press enter

click the boot.ini tab and place a check next to [x] Bootlog click apply then ok and yes to the restart of your PC

Once windows if fully loaded post this text C:\WINDOWS\ntbtlog.txt

Hi LonnyRJ - sorry for late reply - here's the ntblog.txt:

Service Pack 3 9 24 2009 14:58:18.375

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver avgarkt.sys

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver ACPIEC.sys

Loaded driver \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

Loaded driver Shockprf.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver iaStor.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver DRVMCDB.SYS

Loaded driver PQV2i.sys

Loaded driver PxHelp20.sys

Loaded driver stcvsm.sys

Loaded driver TPkd.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver inspect.sys

Loaded driver \WINDOWS\System32\DRIVERS\NDIS.SYS

Loaded driver \WINDOWS\System32\DRIVERS\TDI.SYS

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\igxpmp32.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\b57xp32.sys

Loaded driver \SystemRoot\system32\DRIVERS\ar5211.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\atmeltpm.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ibmpmdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\drivers\iviaspi.sys

Loaded driver \SystemRoot\System32\Drivers\DLACDBHM.SYS

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\btkrnl.sys

Loaded driver \SystemRoot\system32\DRIVERS\DisplayLinkmirrorport.sys

Loaded driver \SystemRoot\system32\DRIVERS\DisplayLinkGAport.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\drivers\btaudio.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\ADIHdAud.sys

Loaded driver \SystemRoot\system32\drivers\AEAudio.sys

Loaded driver \SystemRoot\system32\DRIVERS\hsxhwazl.sys

Loaded driver \SystemRoot\system32\DRIVERS\hsx_dpv.sys

Loaded driver \SystemRoot\system32\DRIVERS\hsx_cnxt.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Loaded driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Loaded driver \SystemRoot\System32\DRIVERS\cmdguard.sys

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\Drivers\DLARTL_N.SYS

Loaded driver \SystemRoot\System32\DRIVERS\AvgArCln.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\cmdhlp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\serial.sys

Did not load driver \SystemRoot\system32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\drivers\TSMAPIP.SYS

Loaded driver \SystemRoot\System32\drivers\Tppwrif.sys

Loaded driver \SystemRoot\System32\Drivers\TPHKDRV.SYS

Loaded driver \SystemRoot\System32\drivers\TDSMAPI.SYS

Loaded driver \SystemRoot\System32\drivers\Smapint.sys

Loaded driver \SystemRoot\System32\Drivers\ShockMgr.SYS

Loaded driver \SystemRoot\System32\Drivers\sbmount.SYS

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\Drivers\PQIMount.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\System32\Drivers\DRVNDDM.SYS

Loaded driver \SystemRoot\System32\DLA\DLADResN.SYS

Loaded driver \SystemRoot\System32\DLA\DLAIFS_M.SYS

Loaded driver \SystemRoot\System32\DLA\DLAOPIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAPoolM.SYS

Loaded driver \SystemRoot\System32\DLA\DLABOIOM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDFAM.SYS

Loaded driver \SystemRoot\System32\DLA\DLAUDF_M.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\system32\DRIVERS\PROCDD.SYS

Loaded driver \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\ibmfilter.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Loaded driver \??\C:\WINDOWS\System32\drivers\pmemnt.sys

Loaded driver \??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys

Loaded driver \??\C:\Program Files\SMI2\smi2.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \??\C:\Program Files\IBM ThinkVantage\Rescue and Recovery\WAM.sys

Loaded driver \??\C:\Program Files\IBM ThinkVantage\Rescue and Recovery\WAM.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

[Val2Read]

Also

run hijackthis click config > misc tools > open ads spy, leave the box's as they are click scan

If anything is found save that log and post it please.

This is what HijackThis came back with:

C:\WINDOWS : AstInfo (0 bytes)

[LonnyRJ]

Download MBR.exe from http://www.gmer.net/#files

Place it on your desktop but run it in this fashion, go start run type in

"%userprofile%\desktop\mbr.exe" -t

press enter and post the mbr.log that will be next to the mbr.exe tool

[Val2Read]

Download MBR.exe from http://www.gmer.net/#files

Place it on your desktop but run it in this fashion, go start run type in

"%userprofile%\desktop\mbr.exe" -t

press enter and post the mbr.log that will be next to the mbr.exe tool

LonnyRJ - here's what we got:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys >>UNKNOWN [0x8B563C2A]<<

kernel: MBR read successfully

user & kernel MBR OK

[LonnyRJ]

Are you back yet Val2Read ? (notified via pm he would be away)

Id like to see a differant kind of log (meanwhile patience please)

Download and run sysinspector

http://www.eset.com/download/sysinspector.php

once it opens go file (top right) generate > suitable for sending

when its finished go file save log.

It will save a a compressed file (zip), attach that please.

If by chance it is to large to attach submit it here

http://www.bleepingcomputer.com/submit-malware.php

[LonnyRJ]

Disregard sysinspector instructions

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\iaStor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
sc query type= driver group= "SCSI Miniport" >>report.txt
start notepad report.txt & exit

Run check.bat, a text should open post it.

[Val2Read]

Disregard sysinspector instructions

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\iaStor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
sc query type= driver group= "SCSI Miniport" >>report.txt
start notepad report.txt & exit

Run check.bat, a text should open post it.

Thanks LonnyRJ. Here are the results:

"C:\WINDOWS\system32\drivers\IASTOR.SYS" 874240 10/12/2005 12:07 PM

SERVICE_NAME: atapi

DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: iaStor

DISPLAY_NAME: Intel AHCI Controller

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

[LonnyRJ]

Lets change it so it looks in c:\ rather than windows and its subdirectories

delete check.bat (and report.txt) and make another please.

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %systemdrive%\iaStor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt

[Val2Read]

Lets change it so it looks in c:\ rather than windows and its subdirectories

delete check.bat (and report.txt) and make another please.

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %systemdrive%\iaStor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt

The results:

"C:\DRIVERS\OTHER\IASTOR.SYS" 874240 10/12/2005 12:07 PM

"C:\IBMTOOLS\DRIVERS\IMSM\IASTOR.SYS" 874240 10/12/2005 12:07 PM

"C:\WINDOWS\system32\drivers\IASTOR.SYS" 874240 10/12/2005 12:07 PM

[LonnyRJ]

This run of combofix shouldnt take long and might even run while your in normal mode.

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

skipfix::
fcopy::
"C:\IBMTOOLS\DRIVERS\IMSM\IASTOR.SYS"|"C:\WINDOWS\system32\drivers\IASTOR.SYS"
killall::

As in the picture above drag and drop cfscript.txt onto combofix.exe

When it is finished a text will open, post it.

[Val2Read]

This run of combofix shouldnt take long and might even run while your in normal mode.

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

skipfix::
fcopy::
"C:\IBMTOOLS\DRIVERS\IMSM\IASTOR.SYS"|"C:\WINDOWS\system32\drivers\IASTOR.SYS"
killall::

As in the picture above drag and drop cfscript.txt onto combofix.exe

When it is finished a text will open, post it.

LonnyRJ - all I got was a dialogue box that said "Installation Failed".

[LonnyRJ]

Let use Avenger

Please download The Avenger2 by SwanDog46. http://swandog46.geekstogo.com/avenger.zip

Unzip avenger.exe to your desktop.

Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

(dont include the word code)

Comment:
begin copy here
files to move:
C:\IBMTOOLS\DRIVERS\IMSM\IASTOR.SYS|C:\WINDOWS\system32\drivers\IASTOR.SYS

Now start The Avenger2 by double clicking avenger.exe on your desktop.

Read the prompt that appears, and press OK.

Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

(what you pasted in must be at the very top) Press the "Execute" button.

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Please paste that log here in your next post.

Restart your PC

Do a quickscan with Mbam and post its log