Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirections, tdssservers.dat and others


  • Please log in to reply
1 reply to this topic

#1 Coachbill

Coachbill

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 12 October 2008 - 01:22 PM

This post may be a little short on technical detail, but I am hoping it will help those of you pulling your hair out over this one. HiJackThis didn't find it, neither did SpyBot.

I went nuts with this when my daughter came home from school with an infected laptop. Symptoms included a runaway iexplore.exe running in the background that would eventually chew up available memory and freeze the computer. While shooting that problem, I found the redirection issue.

After much trial and error, I followed the directions for running SDFix found here:
http://www.geekstogo.com/forum/High-CPU-an...ed-t199631.html

After rebooting and finishing with SDFix (log posted below) McAfee detected the trojan and repaired (removed) the offending files, identifying them as DNSChanger.gen (Trojan) and Generic FakeAlert.a (Trojan). The computer is now exorcised.

********************************** SDFix log follows **************************************

SDFix: Version 1.234
Run by Administrator on Sun 10/12/2008 at 01:05 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
C:\WINDOWS\system32\TDSSerrors.log - Deleted
C:\WINDOWS\system32\tdssinit.dll - Deleted
C:\WINDOWS\system32\tdssl.dll - Deleted
C:\WINDOWS\system32\tdsslog.dll - Deleted
C:\WINDOWS\system32\tdssmain.dll - Deleted
C:\WINDOWS\system32\tdssserf.dll - Deleted
C:\WINDOWS\system32\tdssservers.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-12 13:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\lxcgcoms.exe"="C:\\WINDOWS\\system32\\lxcgcoms.exe:*:Enabled:2300 Series Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe:*:Enabled:2300 Series Printer Status"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\lxddcoms.exe"="C:\\WINDOWS\\system32\\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"="C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"="C:\\Program Files\\Lexmark 2500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"="C:\\Program Files\\Lexmark 2500 Series\\App4R.exe:*:Enabled:BorgListener"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 5 Nov 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 31 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 May 2007 117 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti61.tmp"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 23 Sep 2008 24,064 A..H. --- "C:\Documents and Settings\User Name\Desktop\Fall 08\~WRL0005.tmp"
Sat 17 Nov 2007 24,576 ...H. --- "C:\Documents and Settings\User Name\My Documents\Fall 07\~WRL0003.tmp"
Wed 14 Nov 2007 24,576 ...H. --- "C:\Documents and Settings\User Name\My Documents\Fall 07\~WRL1419.tmp"
Sat 17 Nov 2007 25,088 ...H. --- "C:\Documents and Settings\User Name\My Documents\Fall 07\~WRL3195.tmp"
Tue 13 Feb 2007 19,968 ...H. --- "C:\Documents and Settings\User Name\My Documents\Spring 07\~WRL3662.tmp"
Tue 25 Mar 2008 29,184 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL0115.tmp"
Tue 25 Mar 2008 30,720 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL0300.tmp"
Tue 25 Mar 2008 31,232 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL0579.tmp"
Mon 25 Feb 2008 49,664 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL1112.tmp"
Tue 25 Mar 2008 31,232 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL1745.tmp"
Tue 25 Mar 2008 30,208 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL2499.tmp"
Tue 25 Mar 2008 31,232 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL2784.tmp"
Tue 25 Mar 2008 24,576 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL3223.tmp"
Tue 25 Mar 2008 31,744 A..H. --- "C:\Documents and Settings\User Name\My Documents\Spring 08\~WRL3970.tmp"
Mon 31 Jul 2006 4,348 ...H. --- "C:\Documents and Settings\User Name\My Documents\My Music\License Backup\drmv1key.bak"
Fri 16 Feb 2007 20 A..H. --- "C:\Documents and Settings\User Name\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 31 Jul 2006 400 A.SH. --- "C:\Documents and Settings\User Name\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:39 PM

Posted 12 October 2008 - 07:32 PM

Hi CoachBill and welcome to BleepingComputer. The infection you have is a very nasty rootkit.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Let me know how you wish to proceed.
We will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Thanks
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users