Sooo...just used Avast to get rid of Rootkit Malware.

Viruses and worms
1

And for the most part it worked! I’m over the moon because this virus was dogging my computer and beating everything i threw at it for the past few days. However it was able to get rid of all the .SYS files except one. According to the registry it can’t find it and i can’t seem to delete it or move it to the chest. I believe this is the spam file that is causing my google searches to be redirected. Does anyone have any ideas? Thanks

2

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

3

Okay, used Malwarebytes (i don’t trust the other thing you sent me) and it worked! :smiley: I’ll post a copy of the scan log but i do have a question, should my computer still be starting up so sluggishly even after the virus removal? That seems to be my only problem now.

Anyway, here is the log:

Malwarebytes’ Anti-Malware 1.44
Database version: 3785
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2/24/2010 1:44:28 PM
mbam-log-2010-02-24 (13-44-28).txt

Scan type: Quick Scan
Objects scanned: 133475
Time elapsed: 35 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\IDFcast.dll (Trojan.Hiloti) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE_VOID (Rootkit.TDSS) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services_VOIDd.sys (Rootkit.TDSS) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fazutupuw (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eventcreatexp.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) → Data: idfcast.dll → Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 93.188.164.117,93.188.161.64 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{0d34edbc-218a-4fa1-8188-c328cccfad84}\NameServer (Trojan.DNSChanger) → Data: 83.149.115.157,4.2.2.1,93.188.164.117,93.188.161.64 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{5e214caa-57f2-4323-a134-c9aea91c12fd}\NameServer (Trojan.DNSChanger) → Data: 83.149.115.157,4.2.2.1,192.168.2.1 167.206.251.129 167.206.251.130 → Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Paladin Antivirus (Rogue.PaladinAntivirus) → Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\tedovitu.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\IDFcast.dll (Trojan.Vundo.H) → Delete on reboot.
C:\WINDOWS\system32\fmfdisk.sys (Rootkit.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz3F.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz48.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz49.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz4B.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz4C.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\trz4D.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\1B.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\23.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\91B.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\win22.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp\xmsowaernc.tmp (Trojan.Hiloti) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp\00004361 (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp\91A.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp_VOID21ef.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp_VOID654.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\EE\Local Settings\Temp_VOID65ed.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\WINDOWS\system32\Spool\prtprocs\w32x86\00007ff4.tmp (Rootkit.TDSS) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) → Quarantined and deleted successfully.

4

When you are dealing with rootkits, especially the nasty one you are dealing with, it is probably wise to, at some point, create a bootable antimalware disk from a known, CLEAN, computer, and then boot your infected system off that disk and scan that system. avast! does not make one that I am aware of, but avira does: http://free-av.com/en/tools/12/avira_antivir_rescue_system.html

Also, in addition to avast!, I have a lot of respect for Kaspersky. After MBAM and SAS have had a whack at it, try the AVP Tool. This is the Kaspersky AV 2010 engine with uptodate signatures (file is updated several times daily). Set heuristics to maximum and run a full system scan. Downloadable from: http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

5

SUPERAntiSpyware is a safe program (see my signatur) most of the evangelist here use it, so run it

Download Norman TDSS Cleaner. http://www.norman.com/support/support_tools/77201/en

When you have done this, follow this guide from essexboy and post the OTL log (you have already posted MBAM)
Then essexboy can see if you have moore in there. He is the malware removal expert
http://forum.avast.com/index.php?topic=53253.0

6

Thanks alot for the tips man. I’ll look into both of those. So you think i may never be 100% free from this rootkit? Hence why my computer is lagging at start up?

7

The conventional wisdom is that once you are rooted, you are always rooted. You can probably get away with not reinstalling, however. You probably should at least scan from a bootable antimalware disk, like Avira. Scanning from windows, you can never be certain you have gotten everything.

I would probably install a HIPS-firewall to lock down your system as well. That way if any malware is missed and tries update itself through mischevious outbound connections, you can catch it. If you have that secured, sooner or later the virus definitions will catch up with the malware and quarantine if (since it can’t fetch and install updates from the malware authors).

Good options include:

(my favorite) Online Armor Free: http://www.tallemu.com/
Outpost free: http://free.agnitum.com/
PCTools free: http://www.pctools.com/firewall/
Comodo IS (install firewall only, enable D+, proactive security): http://www.comodo.com/home/internet-security/firewall.php

Whatever you choose (if you choose anything!) please take SPECIAL CARE to select an appropriate installation mode: what I mean is, in OnlineArmor, there is a setup wizard which allows you to “trust all” or “run setup wizard” … and Comodo has a “Clean PC mode” and other various modes.

Do not select “trust all” if you use online armor and do not use the “clean PC mode” if you use comodo. Since you KNOW you are infected, what you are doing is “trusting” the malware so it will continue to run unchecked all over your system, since you told the firewall that your malware was a “trusted” (wanted, invited) software.

If you don’t know what a process is and you get a firewall prompt its easier to click “Deny” then “allow”, then research the process. In Online armor, you can also click “deny” → “remember this decision” and then go to the program rules section and click on “file information” → if it is signed by a trusted vendor (ALWIL, Microsoft, Steam, etc), then it is safe to allow.

Comodo is the pickiest and generates the most alerts. PCTools generates fewer alerts, but also lets through a couple things the other guys don’t.

8

Okay, gotcha. I’ll try that. Any advice for the slow windows start?

9

Ack, total fuck up that last one.

10

Run the following to restore system settings and figure this out (windows XP only):

  1. Run MBAM FULL scan (malwarebytes antimalware at the link given to you by the above posters)
  2. Run SAS FULL scan (Superantispyware at the link given to you by one of the above posters)
  3. Run Kaspersky AVP tool at the link given to you at the above
  4. First run the avira bootable antimalware CD, it sounds like as you were cleaning your malware, you caused a system slowdown somewhere.
  5. (Optional) Run DrWeb LiveCD bootable antimalware CD, you will need IMGBURN or another CD/DVD burning software to do this. You need to mount the ISO (image) to a CD/DVD and boot off that on your infected system: http://www.freedrweb.com/livecd/
  6. Restore your security settings for XP/Vista to default settings since you have been compromised and attacked by malware. Click on “fix it” at this microsoft website: http://support.microsoft.com/kb/313222
  7. (Optional) if you have additional abnormalities, have a funny desktop wallpaper, cannot start registry editor, windows update is off and cannot be turned on, windows firewall is off and cannot be turned on, can start task manager, etc, please run the specific SAS repair tools by doing the following: SAS → PREFERENCES → goto “repairs” tab → click on the necessary repair from the scroll down list and click “repair” to fix that problems.
  8. After and only after eliminating all malware from your system, please do the following: ensure avast! installation is valid and not corrupt (shields are active, you can run a quick scan without it crashing, etc)
  9. If slow startup persists, troubleshoot using the following method: START → RUN → “msconfig” → check “diagnostic startup” → goto “services” tab → check “hide all microsoft services” → goto “startup” tab → uncheck everything → reboot

See how fast your startup is then. Then re-enable startup items 1-by-1 until you hit a snag, and you have found your problem.