Packed.Win32.TDSS.y problem, or something...
DogSoldier
The heart of radical Amish country..
Hi folks, I've been battling viruses since about 12 PM last night. I picked it up on a torrent site and immediately, all my windows minimized as this thing installed itself. VIPRE Rescue5360 was able to log what was wrong but couldn't delete all the bad files. Most of them were sitting in Windows/System32 and were named UACyoultoejtk.dll or such. The proper names for these viruses/trojans is Explorer32.Hijacker, Generic MBR Rootkit and Packed.Win32.TDSS.y
I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UACblahblahblah All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run
I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...
After I ran the F-Secure CD, I was able to run Gmer. Before I get to that log, here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender Browser client.. a few others I forgot...
What does work?! F-Secure ISO on CD, Gmer, CCleaner, ATF-Cleaner and VIPRE Rescue5360
Here's the Gmer log:
If it helps, I can also post the latest VIPRERescueScanner log.
HAAALLLPPP!!!!
//Edited to reflect the latest Gmer log
I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UACblahblahblah All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run
I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...
After I ran the F-Secure CD, I was able to run Gmer. Before I get to that log, here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender Browser client.. a few others I forgot...
What does work?! F-Secure ISO on CD, Gmer, CCleaner, ATF-Cleaner and VIPRE Rescue5360
Here's the Gmer log:
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]
---- Kernel code sections - GMER 1.0.15 ----
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
If it helps, I can also post the latest VIPRERescueScanner log.
HAAALLLPPP!!!!
//Edited to reflect the latest Gmer log
0