32 replies to this topic

[Rich97702]

Hi Paws, 1 This is not the disc that was used to install the version of Windows XP Pro that is currently on my machine. 2 - 3 This is a friend's copy given to him by the tech that fixed his machine. 4 I'm about 50% complete (copying and pasting to USB hard drive via REATOGO). Re: Drivers How can I be sure that I have all of my drivers that are on the victim (XP Pro SP3)? Rich

[Rich97702]

#4) I have now copy and pasted every file on the infected computer (running Kaspersky as I went) to:
K: [USB drive] \c
One last Kaspersky 2010 scan of K:\c moments ago showed no events. All files (less those shown below) are now retrievable.

These possibly notable events were logged during this project:
________________________________________________________________________________
_________________________________________
*3/22/2010 10:48:08 AM Deleted Trojan program Trojan-Downloader.Win32.CodecPack.ktn File K:\c\Documents and Settings\Richard Feldman\Desktop\ video-plugin.40030.exe High
3/22/2010 10:56:12 AM Deleted Trojan program Trojan-Dropper.Win32.Agent.brpk File K:\c\Documents and Settings\Richard Feldman\Local Settings\Application Data\ rdr_1267657585.exe.exe High
3/22/2010 11:46:17 AM Deleted Trojan program Trojan-Downloader.Win32.CodecPack.ktn File K:\c\Documents and Settings\Richard Feldman\Local Settings\Application Data\Mozilla\Firefox\Profiles\wzqz4ucw.default\Cache\ 8535FE71d01 High
3/22/2010 10:56:12 AM Deleted Trojan program Trojan.Win32.Agent.dmtl File K:\c\Documents and Settings\Richard Feldman\Local Settings\Application Data\rdr_1267657585.exe.exe// data0000.res High
3/22/2010 10:56:12 AM Deleted Trojan program Trojan-Dropper.Win32.Agent.brpk File K:\c\Documents and Settings\Richard Feldman\Local Settings\Application Data\rdr_1267657585.exe.exe// data0001.res High
3/22/2010 10:56:12 AM Deleted Trojan program Packed.Win32.Krap.as File K:\c\Documents and Settings\Richard Feldman\Local Settings\Temp\ Zvh.exe High
3/22/2010 10:56:12 AM Deleted Trojan program Packed.Win32.Krap.as File K:\c\Documents and Settings\Richard Feldman\Local Settings\Temp\ Zvg.exe High
3/22/2010 10:56:13 AM Deleted Trojan program Packed.Win32.Krap.aq File K:\c\Documents and Settings\Richard Feldman\Local Settings\Temp\ Zvf.exe High
3/22/2010 3:30:24 PM Deleted Trojan program Trojan-PSW.Win32.LdPinch.xew File K:\c\WINDOWS\ exeshl.dll High
3/22/2010 3:38:05 PM Deleted Trojan program Trojan.Win32.Tdss.axqv File K:\c\WINDOWS\Temp\ 000057c8.sys High
3/22/2010 3:38:16 PM Deleted Trojan program Packed.Win32.Krap.aq File K:\c\WINDOWS\system32\spool\prtprocs\w32x86\ 0000599a.tmp High

3/22/2010 3:37:23 PM Disinfected virus Rootkit.Win32.TDSS.u File K:\c\WINDOWS\system32\drivers\ atapi.sys High
________________________________________________________________________________
___________________________________________

* NOTE: "3/22/2010 10:48:08 AM Deleted Trojan program..." ON THE INFECTED COMPUTER THIS FILE NOW RESIDES IN THE REATOGO RECYCLE BIN, NOT C\Documents and Settings\Richard Feldman\Desktop (And no, it didn't change a thing- no help).

Rich

Edited by Rich97702, 24 March 2010 - 10:18 AM.

[ken545]

Rich, Your infected with the TDSS Rootkit and it looks like it infected your hard disk controller. Lets see what a repair install brings, if it was me I would do a format and compete new install of windows

[paws]

Hi Rich, Before I saw your latest post my strategy was to 1 use the MS XP installation disc to access the Recovery Console and then to use that as a springboard (editing the Registry) to get a System Restore Point that you had created a month or so ago to Restore your system to that time.....hopefully that would enable me to hand you back to Ken for him to work his magic on any malware present. 2 If step 1 above failed to get your machine to boot then to use the correct MS installation disc to carry out a repair installation of Windows (on top, non destructive) and then to hand you back to Ken. 3 Failing that then it would be a format and reinstall, wiping everything out and then installing Windows from scratch and then your applications, and then copying across your data. Having had a good look at your last post...its not a pretty sight! your machine was heavily infected with some pretty nasty stuff, if it were my machine, I wouldn't hesitate...I would format and reinstall (the format will wipe out everything including the malicious stuff), however its not my machine... its yours, and I don't provide malware advice or assistance on this forum. I will pm Ken ( send him a private message) and ask him to cast his expert eye over this and give his advice...........at the moment despite Kaspersky having dealth with a whole lot of infections, I am unwilling to continue with either Step 1 or Step 2 of the above strategy, as I don't believe either of these would be in your best interests......... However let's wait and see what Ken recommends. Regards paws

[ken545]

Paws, did you miss my previous post

[paws]

Hi Rich, I see that I will have to learn to type a little faster as Ken has beaten me to it..... I totally agree with Ken's comments...... format and reinstall is the best option. However please be sure to only use only the Windows XP os that you are licenced to use....and you can use Reatogo PE disc to obtain via the "magical jelly bean" the Windows XP licence key (25 alpha numeric in 5 groups of 5,) or if this doesn;t work use the key shown on the COA ...Certificate of Authenticity...(usually stuck to the bottom of the machine. Regards paws

[paws]

Hi Ken, whilst your fingers were flying over the keyboard poor old paws was still pecking away at the keyboard... I can only use 2 claws! but on a good day I can sometime operate the spacebar with my dewclaws...... Regards paws

Edited by paws, 24 March 2010 - 11:03 AM.

[Rich97702]

I'd say you two have been at this so long you've lost your sense of adventure! Format? Reinstall? GEEZ! ;>)

"....and you can use Reatogo PE disc to obtain via the "magical jelly bean" the Windows XP licence key..."
Got it (and 3 other keys) I didn't realize the XP PRO # would differ from the # on the COA. Changes with Service Packs maybe?

I'm a bit of a software junkie so it would be nice to repair the machine that had all that stuff up and running on XP PRO SP3. On the other hand, this infection sounds like it should scare me into next week. Although I will be making a donation, I'm not paying for your time. If you both feel it best, all in all, not to try a repair, lets format and reinstall.
Thanks you guys,
Rich

[ken545]

Hi Rich, What I am seeing maybe just the tip of the iceberg, the TDSS rootkit is able to download and install all sorts of junk to your system, some it installed made your machine unbootable and God only knows what other infections you have. Even cleaned this computer can never be trusted to do any online transactions with banks or credit cards. Your hard disk controller is infected also, not good, its best to do a clean install and be done with it. Want to point out also that once cleaned you need to re assess your surfing habits as far as what you download and the sites you frequent, somewhere along the line thats what infected you. Good luck on the reinstall. Ken

[Rich97702]

Ken and Paws, That's all I needed to hear. Reinstall it is. I won't start without direction. Thanks much, Rich

[Rich97702]

Good morning to you both- Removed partition, formatted, installed XP PRO SP3, installed 68 MS updates, 19 HP downloads, and installed Kaspersky AV. All seems to be A-OK. Any further instructions? Tips? Admonitions? Rich

[ken545]

Rich, Maybe Paws may have a few things to add but Malwarewise I will post back at Safer. Glad your up and running again

[paws]

Hi Rich,
Well done on completing the format and reinstall, I think this was the right course of action to take.
Have you taken a disc image?
Now your machine is working fast and sweet with no malware, and with all your applications installed, and running perfectly, now is the time to take a disc image, verify it, keep it safe on removable media, make a bootable CD ( for use in case that some time in the future Windows won't load,) and then in the event that you ever hit serious trouble that cannot be resolved in a timely or cost effective way by the normal means, you will be able to re-image your machine back to its"perfect state," in less time than it takes to walk the dog!
I favour Acronis, for disc imaging, and Paragon is also good, Norton Ghost has been providing imaging for years, but they all cost money! for free software take a look here:
http://www.thefreeco...pandimage.shtml
If you go down the imaging route and everyone else follows your good example then the likes of Ken and me will be out of a job!
Regards and good luck for the future
paws

[Rich97702]

Hi Paws, Acronis was suggested as well by a good friend in the IT business. I think I'll go that route. It sure looks like it simplifies matters! Thanks so much Paws, Rich

[paws]