I'm looking at a friend's fairly old Dell Dimension 4600c with XP Home.
It runs as slow as molasses!
Out of frustration, he just bought a new Gateway with Windows 7. (I
guess he had been wanting a new PC lately, anyway.) He asked me to set
it up and transfer his old files to it.
I offered to take the PC home to see if I could rehab it. I will very
likely reformat the hard drive and perform a Clean Install.
But before I do that, I might want to take a crack at addressing and
solving the problem.
There is strong evidence malware (a trojan and/or rootkit) was/is on
this system. Here is the evidence:
1. I removed the hard drive and used my PC to scan it for malware, using
Avira AntiVir and MBAM. There were interesting results (at least to me):
a. A scan of the drive with Avira revealed only warnings (61), all of
them stating that files beginning with "E:\WINDOWS\$NtUninstallKB..."
could not be opened.
b. A scan of the drive with MBAM revealed only one infection: bottom.bmp
(Spyware.Onlinegames), which was found in the Lexmark scanner/printer
folder in E:\Program Files (!).
Okay, so far, not tons of evidence. But.....
c. As MBAM was scanning, Avira's guard was activated and ran. Then an
alert came up! The suspicious file:
E:\WINDOWS\SYSTEM32\TDSSosvd.dat
Okay, there's something!
I found two other files beginning with TDSS in the E:\WINDOWS\SYSTEM32
folder:
TDSSfpmp.dll
TDSStkdv.log
I uploaded all of these to the Jotti's Malware Scan and VirusTotal Web
sites. Although there was not anything approaching near unanimity, these
files seemed potentially dangerous. See:
http://virusscan.jotti.org/en/scanre...169f3f19e3d074
http://virusscan.jotti.org/en/scanre...b46338ba67f589
The first one (TDSSosvd.dat) was identified by VirusTotal as
TR/Agent.439 Trojan-Dropper.Agent (which also was what Avira returned).
The second one (TDSSfpmp.dll) was identified by VirusTotal as Vundo.DZC
Mal/TDSSConf-A.
I'm sure there are still other nasties on this drive.
The log file was clean (just a .txt file).
2. As I was copying data, I stumbled upon a text file (avenger.txt). So
at one point someone was trying to remove something. Here are the
contents of that file:
<quote>
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\windows\system32\drivers\TDSSmhxt.sys" not found!
Deletion of file "c:\windows\system32\drivers\TDSSmhxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Driver "TDSSserv.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
</quote>
Okay, so there's the evidence. :-)
I Googled for methods to deal with this trojan. It seems like I would
need to run HJT and SDFix at the very least (and maybe OTMoveIt3, too).
I also see that "The Avenger2 by Swandog46" (just mentioned by me above)
is also recommended on this page:
http://www.bleepingcomputer.com/foru...177293-15.html
(FixPolicies.exe, ComboFix, and Registar Lite are also mentioned. Wow!
That's a lot of work!)
Although this may be a learning experience, I wonder if a Clean Install
would be much quicker. :-)
If anyone here has experience with this particular trojan, I would
appreciate input.
Thanks so much in advance!
Reply With Quote