To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?
 
Reply to Discussion Options
DogSoldier
Mitt Romney's Love Child
DogSoldier
1,176 Posts
30 Aug 2009, 12:21am

Packed.Win32.TDSS.y problem, or something...

Hi folks, I've been battling viruses since about 12 PM last night. I picked it up on a torrent site and immediately, all my windows minimized as this thing installed itself. VIPRE Rescue5360 was able to log what was wrong but couldn't delete all the bad files. Most of them were sitting in Windows/System32 and were named UACyoultoejtk.dll or such. The proper names for these viruses/trojans is Explorer32.Hijacker, Generic MBR Rootkit and Packed.Win32.TDSS.y

I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UACblahblahblah All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run

I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...

After I ran the F-Secure CD, I was able to run Gmer. Before I get to that log, here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender Browser client.. a few others I forgot...

What does work?! F-Secure ISO on CD, Gmer, CCleaner, ATF-Cleaner and VIPRE Rescue5360

Here's the Gmer log:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----
If it helps, I can also post the latest VIPRERescueScanner log.

HAAALLLPPP!!!!

//Edited to reflect the latest Gmer log
__________________ [folding_sig1]
Reply with Quote
Similar Threads
Thread Thread Starter Forum Replies Last Post
internet extremely slow problem after win32.buzus problem Infinitive1 Resolved / Inactive 2 22 Apr 2008 11:17pm
Winsystem16.exe , Win32:Trojan-gen ,Win32:Adware-gen Problem Pls Help creative Resolved / Inactive 29 26 Mar 2007 7:16pm
Newbie with a problem - win32.trojandownloader.agent.am Aimsbury Resolved / Inactive 2 17 Jan 2007 10:40pm
they got me ( bloodhound.packed) lilrhody223 Resolved / Inactive 6 1 Dec 2005 11:32am
bloodhound.packed virus scare Trogan Resolved / Inactive 7 5 Oct 2004 1:17pm

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal
Reload this Page Packed.Win32.TDSS.y problem, or something...
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 1:23am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.