Author Topic: Confused!! Deleted bug keeps coming back!!  (Read 6573 times)

Offline paradiseyes

  • Newbie
  • *
  • Posts: 8
Confused!! Deleted bug keeps coming back!!
« on: January 12, 2009, 08:56:44 AM »
Hey guys,

This nasty keeps reappearing on my computer... "TrojWare.Win32.Rootkit.TDSS.cig[at]2554649" in my "System 32" folder under the name "TDSSotqt.dll". Comodo first detected it two weeks ago, so I deleted the file. I ran another scan right after and my computer came out clean. I normally do a full scan once a week, so the following Monday it was flagged again. So I deleted it again. I regularly delete my System Restore points, the Registry is free from anything resembling this name, so I don't know why it keeps coming back. Then this morning, I scanned and lone behold, it came back again!! So I deleted and ran another scan, and Comodo says that I'm clean. But I know that when I run a scan in a couple more days, it'll some how mysteriously come back.

I did some searching on the web for similar incidents, but half the forums out there are crooked and junk anyways. Does anyone know what this "Trojware.Win32" nasty is? Why it keeps reappearing? And how I can permanently delete the bug?

Thanks!!!

 :ilovecomodo:

Online JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: Confused!! Deleted bug keeps coming back!!
« Reply #1 on: January 12, 2009, 01:54:16 PM »
There is obviously a deeper problem than that as it comes back.

You could try this:


Please download F-Secure Blacklight (fsbl.exe) from here

Run the program and see what it finds.
James

Offline paradiseyes

  • Newbie
  • *
  • Posts: 8
Re: Confused!! Deleted bug keeps coming back!!
« Reply #2 on: January 14, 2009, 12:04:18 PM »
Thanks James.

I ran the program and it found nothing.

Have any other ideas?

Online JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: Confused!! Deleted bug keeps coming back!!
« Reply #3 on: January 14, 2009, 12:17:17 PM »
We could look at a HijackThis log to maybe see what else is going on:

Click here to download HJTsetup.exe and download the installer.
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
James

Offline paradiseyes

  • Newbie
  • *
  • Posts: 8
Re: Confused!! Deleted bug keeps coming back!!
« Reply #4 on: January 15, 2009, 06:39:15 AM »
Okay, here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:42 AM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comodo.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.0.41&build=Symantec&a=00000082.00000003.00000008&b=00000082.0000001f.0000004b&c=00000082.00000045.00000119&d=00000082.00000049.000000bb&e=00000082.0000006f.00000148&f=00000082.000000e6.0000026f
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\Program Files\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F756A28D-DCD5-46be-BCAB-17C088D07227} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs:    C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DSBrokerService (dsbrokerservice) - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6646 bytes

Online JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: Confused!! Deleted bug keeps coming back!!
« Reply #5 on: January 15, 2009, 07:52:36 AM »
I don't see any current problems in the log unless something is hiding from HijackThis.   You could try renaming HijackThis.exe to say HijackNew.exe and run it again to see if there are any changes.

Otherwise if you have no problems with your computer, if it comes back again, try uploading the file to Virustotal:
http://www.virustotal.com/
James

Offline paradiseyes

  • Newbie
  • *
  • Posts: 8
Re: Confused!! Deleted bug keeps coming back!!
« Reply #6 on: January 15, 2009, 08:44:15 AM »
Thanks for taking a look James.

This morning Comodo alerted me of a bug on my system that wasn't present before. I've attached a screen shot of the dialogue box. You said to upload the suspicious file to VirusTotal, but here's the thing, these files in question, they won't upload, won't delete, and won't allow themselves to be moved or renamed, so I'm stuck.

Any more ideas?

P.S - I haven't even been on my computer and only logged onto the net to check this forum as I've been busy at work. How is it that this bug keeps popping out of nowhere?!?!

Online JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: Confused!! Deleted bug keeps coming back!!
« Reply #7 on: January 15, 2009, 10:11:41 AM »
Hi paradiseyes, There seem to be signs of  a malware program called Antivirus 2009, so you could try running Malwarebytes to see if it can delete your bad files. You could follow the instructions here:
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009


If it doesn't find anything, I think you need to post on a specialist help forum where they will guide you better than I can.

There are good people on this one who will answer you quickly if you join and post your HijackThis log as directed:
http://forum.securitycadets.com/index.php?s=59577060d6cbb9c1f983628fbb16f10b&showforum=2

Good luck,
« Last Edit: January 15, 2009, 10:56:53 AM by JamesFrance »
James

Offline paradiseyes

  • Newbie
  • *
  • Posts: 8
Re: Confused!! Deleted bug keeps coming back!!
« Reply #8 on: January 15, 2009, 02:47:34 PM »
Actually James you just solved my problem  ^_^.

I installed and ran Malwarebytes and found 8 infected registry keys. One of the keys was infected by the TrojWare.Win32.Rookit (which is the nasty who kept coming back, now I know why), and the others were of the problems I just had this morning.

So it's all fixed now. No more nasty bugs, and thanks to your advice, I won't have to worry about them coming back again!!

Thanks bud!!

 :comodorocks:

Offline fazio93

  • Comodo Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2454
Re: Confused!! Deleted bug keeps coming back!!
« Reply #9 on: January 15, 2009, 07:20:18 PM »
I can't tell you how many times I've seen Malwayebytes as the savior.  :-TU

 :)
Windows 7 Ultimate 64-bit
CIS 5.12.256249.2599
Please remember to follow the Forum Policy.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek