Rootkit TDL3 and HDD Plus

Discussion in 'Malware Help (A Specialist Will Reply)' started by webbyte, Dec 9, 2010.

  1. webbyte

    webbyte Private E-2

    Windows XP 32 bit - when logged on under Sandy userid, HDD Plus runs. Use Ctrl-alt-del to disable and it runs again but this time when disabling shows 353989.exe. Tried running Malwarebytes under this userid but get what appears to be Windows messages regarding the hard drive, memory, critical system, etc. and the computer reboots before the scan completes.

    On second userid, JLS/Joe operates normally, except when using Internet Explorer getting redirected from certain sites, e.g., can't get to Majorgeeks.com.

    ComboFix found rootkit TDL3 and had to reboot to continue ComboFix. Ran all scans and still have above problems.

    AVG was running on this computer a few months ago but not found now so after running SuperAntispyware, Malwarebytes, and ComboFix, installed AVG 2011. Initial scan found Trojan horse Hiloti.CB, Trojan horse Generic20.ACQM, and Virus Found FakeAlert.

    Attached are logs.
     

    Attached Files:

    webbyte, Dec 9, 2010
    #1
  2. webbyte

    webbyte Private E-2

    Re: Rootkit TDL3 and HDD Plus - MG tools logs

    Attached are MG Tools logs
     

    Attached Files:

    webbyte, Dec 9, 2010
    #2
  3. webbyte

    webbyte Private E-2

    Re: Rootkit TDL3 and HDD Plus - additional info

    During initial install of AVG 2011, dit.exe and ditexp.exe were detected and moved to virus vault
     
    webbyte, Dec 9, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this and see where we end up:

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2
    Java(TM) 6 Update 18

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    c:\windows\Mpitomukimup.dat
    c:\windows\Fledupovilometap.bin
    c:\windows\TEMP\TMP000000CF088C31ED41FD9D54
    C:\Documents and Settings\JLS\Local Settings\temp\7ZSD.TMP

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message


    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * MBRCheck log.
    * TDSSKiller log.
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Dec 9, 2010
    #4
  5. webbyte

    webbyte Private E-2

    Deleted Java both versions

    Ran analyse.exe and Fix

    Ran fixME.reg and got success message.

    Unable to find c:\windows\TEMP\TMP000000CF088C31ED41FD9D54
    Found and deleted other files. There is a c:\windows\temp directory but it does not contain the file. Did a search for tmp0 and nothing found.

    Ran TDSSKiller. One Problem found - selected Cure and rebooted - log attached.

    Ran MBRCheck - log attached.

    Ran GetLogs.bat - zip file attached.
     

    Attached Files:

    webbyte, Dec 9, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That should have taken care of any malware issues you were having.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Dec 9, 2010
    #6
  7. webbyte

    webbyte Private E-2

    Shut computer down, connected ethernet cable, and restarted.

    Under Joe userid, everything seems to be working fine. No redirect on browser sites. Enabled windows firewall, AVG Antivirus and set to not show hidden and system files.

    Logged off Joe userid and logged onto Sandy userid - got:

    Error loading C:\Windows\KBMSNU.dll - specified module could not be found

    No start menu or task bar. HDD Plus program started running.

    Did ctrl-alt-del to stop HDD Plus and dll

    AVG detected the following:
    C:\Documents and Settings\Sandy\Local Settings\Temp\RAETNLIVSW.exe and
    C:\Documents and Settings\Sandy\Local Settings\Temp\353989.exe

    Checked to have AVG move both to Vault.

    AVG prompted for restart to complete removal

    After restart, logged onto Joe userid and AVG indicated malware removal completed - 3 processes terminated - 3 files removed.

    Logged off Joe userid and logged onto Sandy userid
    still getting: Error loading C:\Windows\KBMSNU.dll - The specified module could not be found. Everything else looks okay. HDD Plus shortcut on desktop is showing generic icon where previously it was showing the program icon. Internet Explorer seems to be working okay - no browser redirects.

    Should I run Ccleaner, SuperAntispyware and Malwarebytes for userid Sandy since unable to run earlier? How to get rid of dll error when logging on to Sandy userid?
     
    webbyte, Dec 9, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run both SAS and MBAM as well as the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * MBAM
    * SAS
    * C:\MGlogs.zip
     
    TimW, Dec 9, 2010
    #8
  9. webbyte

    webbyte Private E-2

    Still getting dll error when logging onto Sandy account.

    Do not seem to have any other problems with computer.
     

    Attached Files:

    webbyte, Dec 10, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay continuing with this SANDY account, this will keep you going until Tim logs in later today.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    AVG is no longer on our list of recommended antivirus, and usually causes problems if installed when trying to run Combofix. I am surprised you got it to run with avg still installed.

    Tell us, or show us with a screenshot, what is inside of this folder:
    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix exit HJT.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Evegujikapakuk"=-
"353989"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]

:files
C:\WINDOWS\KBMSNU.dll
C:\DOCUME~1\SANDY\LOCALS~1\Temp\353989.exe

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    You have alot of temp files that have accumulated, as far back as spetember so let's be shot of them:
    Run Combofix.

    Run TDSSKiller.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Dec 10, 2010
    #10
  11. webbyte

    webbyte Private E-2

    Under Sandy Account

    Ran msconfig to put machine back into normal start up mode.

    Note: AVG was not installed when running Combofix.

    Attached is screenshot of requested folder.

    Uninstalled Windows Messenger

    Ran HJT and fix

    Ran OTM - log file attached - after OTM ran and computer rebooted, during restart got prompt asking for permission to allow OTM.exe to run. Since that wasn't mentioned in instructions, clicked Cancel and did not allow it to run. Did not get the prompt on next restart. Looks like temp files were deleted when OTM was run? Had initially run Ccleaner from Safe Mode under Joe userid but don't remember if Ccleaner was run under normal mode. Should Ccleaner remove the Temp files?

    Ran Combofix - log attached - Note: have had black desktop under Sandy userid but after running Combofix the selected desktop picture is now displaying.

    Ran TDSSKiller - nothing detected - log attached

    MGlogs.zip file - in separate reply
     

    Attached Files:

    webbyte, Dec 10, 2010
    #11
  12. webbyte

    webbyte Private E-2

    MGlogs
     

    Attached Files:

    webbyte, Dec 10, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. However, I can't find any reference in them for the KBMSNU.dll. There isn't a reg key that is trying to load but missing the file. We can try doing a search:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      KBMSNU.dll
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, Dec 10, 2010
    #13
  14. webbyte

    webbyte Private E-2

    I'll run SystemLook as you recommend but expect the registry key for KBMSNU.dll was deleted when HijackThis was run per earlier instructions from Kestrel13!

    Since running HijackThis earlier today, no longer receiving the error regarding loading KBMSNU.dll when logging on to Sandy userid.
     
    webbyte, Dec 10, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are no longer getting that message, then you are good to go.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Dec 10, 2010
    #15
  16. webbyte

    webbyte Private E-2

    Thanks for your help with this. Finished the clean up steps and everything appears to be working okay.

    Decided to install Microsoft Security Essentials instead of AVG.
     
    webbyte, Dec 11, 2010
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing!! :)
     
    TimW, Dec 12, 2010
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds