maj Posted January 12, 2010 ID:183338 Share Posted January 12, 2010 Hey everyone a few days ago, I got this Malware Defense virus, and all the lovely trojans along with it. After finding a guide using malwarebytes and studying on this thing, I removed it and all. And Malwarebytes said my pc was clean yet after the restart, Firefox wont work, just gives Drwatson error when I try to open. So I run this program called rkill from the guide to kill the rootkit and open new explorer.exe, and all is fine, I scan with Malwarebytes again and it shows Rootkit.TDSS is hiding in registry HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT. Yet when I go into the registry in normal or safe mode the registry key is not there?! This is a repeated process every time I turn my computer on. I have included the log here from safe mode, I have other from regular if its wanted. Some help on how to finally get rid of this is really appreciated! Thanks.Malwarebytes' Anti-Malware 1.44Database version: 3458Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 6.0.2900.55121/12/2010 1:02:21 PMmbam-log-2010-01-12 (13-02-21).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 189841Time elapsed: 19 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 13, 2010 Staff ID:183608 Share Posted January 13, 2010 Hi,Please read the instructions below and follow them in exactly the same way as described:Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Do NOT post the log yet, but allow mbam to reboot.After reboot, immediately rescan with malwarebytes, let it perform another scan, select to remove and reboot once again.It's important that these steps are performed immediately after eachother (scan > select to remove > reboot > right after reboot, another scan > select to remove > reboot).Then when done, post the LATEST malwarebytes log in your next reply. Only post that log AFTER the second reboot. Link to post Share on other sites More sharing options...
maj Posted January 14, 2010 Author ID:183867 Share Posted January 14, 2010 Hello I followed your instructions as you said. I dont know if this makes a difference, the first reboot was successful, I rescanned deleted rebooted, on the second time to start up it wouldnt load windows, it went to a black screen I had to manually turn it off and start back up, but here is the results. Malwarebytes' Anti-Malware 1.43Database version: 3554Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55121/13/2010 5:36:58 PMmbam-log-2010-01-13 (17-36-58).txtScan type: Quick ScanObjects scanned: 120258Time elapsed: 6 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\H8SRTmwpawktetj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTpoaqjnbkpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTskakboirrr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\H8SRTlhlsmlgibq.sys (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\123\Local Settings\Temp\H8SRT1ded.tmp (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTkvkqlxrhcj.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.s Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 14, 2010 Staff ID:183924 Share Posted January 14, 2010 Hi,Can you rescan again with Malwarebytes and post the latest log please? Link to post Share on other sites More sharing options...
maj Posted January 14, 2010 Author ID:184071 Share Posted January 14, 2010 I rescanned after I did the deletion and reboot of the former log results, and I got this.Malwarebytes' Anti-Malware 1.43Database version: 3554Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55121/13/2010 7:19:01 PMmbam-log-2010-01-13 (19-19-01).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 191484Time elapsed: 32 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP105\A0021863.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 14, 2010 Staff ID:184073 Share Posted January 14, 2010 Hi,Only a leftover was found. The main rootkit is already gone now - since Malwarebytes could deal with it properly How are things now? Link to post Share on other sites More sharing options...
maj Posted January 14, 2010 Author ID:184084 Share Posted January 14, 2010 Sorry for doing a double post, but I thought about the location of that and I disabled system restore and rebooted, rescanned and got this.Malwarebytes' Anti-Malware 1.43Database version: 3554Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55121/14/2010 1:11:11 PMmbam-log-2010-01-14 (13-11-11).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 184840Time elapsed: 23 minute(s), 50 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)So I think its clean now? I think disabling the system restore worked I dont know, but it seems like it? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 14, 2010 Staff ID:184088 Share Posted January 14, 2010 Yes, if you disable system restore, it deletes the restore points in it. I suggest you enable system restore again since this is recommended. It will have clean restore points now since older ones got deleted Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
maj Posted January 14, 2010 Author ID:184098 Share Posted January 14, 2010 Haha I will do that.Unfortunately I knew how to prevent, my first virus in 5 years . Also I know how I got it too, I downloaded Avi2Dvd, which is freeware, and had some adware on it, and I let it install. My own stupidity, so I hope it helps to tell people to watch out when downloading that program!Thanks tons for the help! Also great program you guys made, and the trial or free version, EXCELLENT! Thanks Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 14, 2010 Staff ID:184106 Share Posted January 14, 2010 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 16, 2010 Staff ID:184891 Share Posted January 16, 2010 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts