BleepingComputer.com: tdsskiller trojanTDSS modified ??

I have just downloaded the TDSSkiller program by the link shown (http://www.bleepingcomputer.com/download/anti-virus/tdsskiller). It did not download with a desktop icon as told, but was able to find it in the programs list. Copied and pasted the tdsskiller.exe file to the desktop and renamed it as instructed with the .com extension and tried to run it but did not get screens that looked like in the instructions. Then tried to run it and got a screen that said "Another instance of utility is running". Another screen came up with a title called "Initialization" Clicked on SCAN on a screen that looked somewhat different than shown on the instructions, seemed to try to scan, went through the motions, but didn't find anything in 366 objects.

Then tried to run it as the .exe file in the program list and got the same warning that another instance of utility is running with the Initialization screen that got as far as 10% on the initialization status bar, but never went any further; and in now after 15 minutes has gone, it has NOT gone any further than the initial 10% initialized by the status bar so the malware designers may have modified the trojan to interfere with what Kaspersky Labs had initially developed.

What to try next ?? There never was any kind of report developed.

Fairweather

You cannot launch tdsskiller on PC infected by MAXSS rootkits like Rootkit.boot.sst,rootkit.pihar.b etc.There were some tdl3 rootkits which blocked tdsskiller but they have updated it.TDSSkiller needs to update to make it run in MAXSS rootkits which can be seen on PC infected by system fix rogue

There are ways to run tdsskiller in these cases

Running FIX TDSS from symantec

or

Deleted unknown kernel callbacks using rootrepeal and then running TDSSkiller

narenxp:

Thanks for taking time to review the posting and offering a solution. I did as you suggested and went to Symantec to get FIXTDSS which was downloaded from Backdoor: Tidserv Removal Tool.

Accessed from a clean machine and downloaded to a flashdrive and connected to the infected machine. Opened from the flashdrive and ran (scanned). When finished had a message that Backdoor.Tidserv was not found, so I apparently sent you down the wrong path, somehow described symptoms wrong.

But machine is still infected with something(s). Where the most apparent problem was seemingly (Google?) misdirections (not all the time), had misdirections and on occasion added maybe a dozen new tabs to many other websites. Now this morning, I cannot get to the internet. Get the message that the "server cannot be found" and get this message on both Mozilla and IE. Called the service provider to see if there was a problem at their end and they checked and said everything looked okay. Then thought to try the second computer and switching the ethernet cabling, finally was able to get the 'net with the second computer. So apparently the first computer has something(s) that first, misdirects, then now blocks access to the 'net.

Sorry for that, but I don't know what to try to find out what the rogue software, malware is.

Any further thoughts on what to try next?

Fairweather

Can you run tdsskiller now?

If you are not able to launch even now

Check this FAQ on running tdsskiller

http://en.kioskea.net/faq/18862-rootkit-boot-sst

you need to copy the tools to infected PC and run it.

Now

Please download Farbar Service Scanner

http://download.bleepingcomputer.com/farbar/FSS.exe

and run it on the computer with the issue.

* Make sure "Include All Files" option remains checked.
* Press "Scan".
* It will create a log (FSS.txt) in the same directory the tool is run.
* Please copy and paste the log to your reply

narenxp:

Thanks yet again for your taking time to sort out the problems. To your instructions on what to run or check next.

I downloaded a new copy of TDSSKiller from the link at BleepingComputer to a flash drive. Then connected to the infected computer and was able to run as administrator, getting the message, "processed 367 objects, no threat was found.

Then on your request to run the Farber Service Scanner, downloaded it to the flash drive and connected to the infected computer and again, ran as administrator. Scan text is included in this posts


Farbar Service Scanner
Ran by David (administrator) on 16-12-2011 at 17:04:16
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.


File Check:
===========
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

Download

http://jpshortstuff.247fixes.com/SystemLook.exe

Launch it and copy this script and paste it in the box



:filefind
tdx.sys
:reg
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\tdx /s

Click on the LOOK button

Post the generated log here

I have moved this topic to the malware removal forum, dewalt please post the requested log (see previous post).

narenxp:

Again, thanks for hanging in

Downloaded the jpshortstuff file to the flashdrive and connected to the infected computer. Ran as administrator. Log generated posted.

Log:

SystemLook 30.07.11 by jpshortstuff
Log created at 12:50 on 17/12/2011 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --a---- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] CB39E896A2A83702D1737BFD402B3542

========== reg ==========

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\tdx]
(Unable to open key - key not found)

-= EOF =-

Hello, please let me know if the internet works after the following steps.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT

• Please download Erunt
  
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Please download OTL from one of the following mirrors:

• This is THE Mirror


• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Copy and Paste the following code into the textbox.
  

  :files
  c:\windows\system32\drivers\tdx.sys|C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys /replace
  
  :reg
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx]
  "DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
  "Group"="PNP_TDI"
  "ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,64,78,\
    2e,73,79,73,00
  "ErrorControl"=dword:00000001
  "Start"=dword:00000001
  "Tag"=dword:00000004
  "Type"=dword:00000001
  "DependOnService"=hex(7):54,63,70,69,70,00,00
  "Description"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\Enum]
  "0"="Root\\LEGACY_TDX\\0000"
  "Count"=dword:00000001
  "NextInstance"=dword:00000001

  
  
• Push
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Click the OK button.
  
• A report will open. Copy and Paste that report in your next reply.

Elise:
Narenxp:

Sorry for the delay. Had to write the code down then type it in by keystrokes, The code must have been entered as some kind of object. I could highlight the code, do a CNTR "C" to copy, but the paste function was greyed out so I had to copy to paper from the unaffected machine and enter by keystrokes on the infected machine, but report is attached.

And it looks like there may be a problem looking at the second last line of the report, invalid data type, may have mistyped part of the code for that line. Don't know how to fix so will await your next set of instructions when yuo guys have time.

Again, thanks for continuing to try to help me get rid of the nastiness.

Fairweather


========== FILES ==========
File c:\windows\system32\drivers\tdx.sys successfully replaced with C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"DisplayName"|"@%SystemRoot%\\system32\\tcpipcfg.dll,-50004" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"Group"|"PNP_TDI" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"ImagePath"|hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,64,78,2e,73,79,73,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"ErrorControl"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"Start"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"Tag"|dword:00000004 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"Type"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"DependOnService"|hex(7):54,63,70,69,70,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\\"Description"|"@%SystemRoot%\\system32\\tcpipcfg.dll,-50004" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\Enum\\"0"|"Root\\LEGACY_TDX\\0000" /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\Enum\\"Count"|dword":00000001 /E :invalid edit format. Invalid data type.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\Enum\\"NextInstance"|dword:00000001 /E : value set successfully!

OTL by OldTimer - Version 3.2.31.0 log created on 12212011_212237

Does your intenret work now? If not, I'll create a file for you so you don't have to type it all over, because that is for sure a lot of work.

Elise:
Narenxp:

I restarted the infected computer this morning and got a not comforting message.

Message:

ERU for Windows NT

Unable to create file:
C:\Windows\ERDNT\Autobackup\12-22-2011\ERDNT.INF

Registry backup will continue, but no restore information for ERDNT will be saved, this means that later restoration of the registry can only be done manually, by using another OS to copy back the files
OK (button)
Like:

Going back into the OTL programs and re-entering the one instruction under Reg: that has the bad data type

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tdx\Enum\\"Count"|dword":00000001 /E :invalid edit format. Invalid data type.


or

Going back into OTL and re-entering all of the instructions, this time maybe you could send a file that I can copy and paste so not to make a mistake is I mistype something?

Don't know what to do next, again have not turned off the computer, "X" it out or hit the OK button so maybe something can be done before the "scan and fix gets executed.

Your turn, thanks again for trying to help fix this; hope this not a fatal error.

David

I have not turned off the computer in case something be undone and I did run the registry backup program before trying any of this.

Quote

What about this? You can safely reboot, the backup is made, so we will always have access to that. Erunt is telling you that it couldn't create the executable that can be used to automatically restore the registry.

Elise:

I'm getting confused about what to do next.

First, I can get to the internet on the healthy computer, just a different machine accessing the ISP, but have not tried to go past the notice about the ERDNT file problem. You say I can safely reboot. How does one do that? Try to reboot in SAFE mode? How can it reboot if it can't create one of the executable files?

As I say, I'm confused as what to first.

Like: what first?
what second?
is this error recoverable? again, you say can reboot, but exactly how? seems we have to get by the ERDNT file problem, then reboot before trying to get to the internet. or are you saying ignore the warning, click "OK" then some how the computer will know how to reboot by itself?

David

Restart your infected computer and see if the internet works now.
What I meant with "safely" is, you can restart without having to worry about the Erunt problem.